Entrust clears fourth hurdle in FIPS validation

Entrust Technologies Inc., which is steadily growing its federal market penetration in the security arena, has received its fourth certificate validating that its products meet a federal government standard for protecting unclassified information.

Version 4.0 of the company's cryptographic module— which is at the heart of all Entrust security products— was certified as meeting the Federal Information Processing Standard (FIPS) 140-1. This latest certification means that the Canada-based firm offers more certified modules, four in all, than any other software company on the validated products list.

Agencies are required to choose strictly from a list of validated products when purchasing cryptographic modules, which are systems that encrypt data, authenticate users' identities and rely on digital signatures, private-key management and other security services. To obtain a place on the list, products must be certified as conforming to the FIPS 140-1 standard.

Brian O'Higgins, executive vice president and chief technology officer at Entrust, said the independent, third-party testing required for the FIPS validation provides Entrust customers with added assurance that the company's security products provide the services the company claims to offer.

"If anything goes wrong in our product, we're dead," O'Higgins said. "We look for everything we can do to make sure we have high-quality products. Because of all the third-party scrutiny, I can guarantee to my customers that [Entrust products] work well."

Entrust was the first company whose products were certified to meet the FIPS 140-1 standard at a time when not many vendors were having products tested, despite the mandate for agencies to buy only certified products.

O'Higgins said some government procurement officials believe there are no products that meet the standard and therefore are applying for a waiver from the standard. He said he hopes companies such as Entrust that receive certification for multiple products will help "wake up the market for FIPS 140-1."

Despite the skepticism within some agencies, some federal users are paying close attention to the FIPS validated-products list. The Commerce Department's National Technical Information Service is experimenting with Entrust's certificate server product to offer public-key infrastructure services to other federal agencies.

Keren Cummins, director of NTIS' FedWorld information technologies, said the FIPS testing assures network administrators that the encryption and authentication technologies embedded in the products are working correctly.

In addition to Commerce, several other agencies have begun using Entrust server products for secure messaging, authentication for human resource systems, remote user authentication and protection of Privacy Act data. For example, the U.S. Southwest border patrol, in cooperation with the Justice Department, is using Entrust products for secure messaging to ensure that data being moved to and from agents in the field is protected.