The product manager smiled and offered his guest some coffee. “What we’ve managed to do is build a high performance cryptographic processor with just the right combination of algorithms and other characteristics. This has uniquely positioned our company for a rapidly growing market. It turns out that the US government is very interested, and we can seize a significant portion of this opportunity by moving quickly. The only problem is that the government wants our device to be FIPS certified before they’ll commit to buying any.” The product manager paused and waited for a response from his guest, an information security engineer who had had experience designing products to meet NIST’s FIPS140-2 requirements.
His guest suppressed a smile when he heard that getting a FIPS certification was “the only problem.” He knew from what had been said so far that there were many other problems. That’s because FIPS 140-2 consists of many requirements, and each one can result in a significant amount of work. He had been through this scenario twice before, and in both cases, the same big mistake had been made. The design engineers should have known about the FIPS 140-2 requirements from the beginning. Now there were bound to be software changes, retesting and additional troubleshooting. “Do you know what level of certification you need?” he asked.
“We’re thinking level 4.” the product manager replied. “Do you think that will be a problem?”
“Well… if you haven’t been designing for a level 4 FIPS certification up to this point, it’s highly likely you’re going to need both hardware and software design changes.”
“Do you have any suggestions for me?”
To Be Continued…