Continued from FIPS 140 Made Easy part 2…

“What about FIPS 140-3?”

“You should probably check the FIPS 140-3 standard as well.  Presently, it’s in a draft form.  So, it could change.  Still, it’s possible FIPS 140-3 could become the new standard before you’re through with your current certification effort.  Knowing what’s in it shouldn’t hurt you.  Here’s the link for you…”

http://csrc.nist.gov/publications/PubsDrafts.html#FIPS-140–3

“Anything else?” asked the product manager.

“Yes.  The next time you design a crypto device, consider whether you need a FIPS 140 certification and what level of certification you might need during the requirements definition phase.  It is usually easier to get your crypto design certified when it is designed to meet the security requirements from the outset.  Modifying an existing design to meet the same requirements, after the fact, can be quite difficult. “

The information security engineer got the job, but it was a short contract.  Soon, the product manager began to realize how important that last piece of advice was, and the company decided it didn’t have the time or the money to seize that big government business opportunity.

The End