A federal standard that kicked in June 30 but has been largely ignored by vendors may now prohibit agencies from buying many popular hardware and software security products.
The Federal Information Processing Standard (FIPS) 140-1 requires agencies after June 30 to buy systems called cryptographic modules - which are used for data encryption user authentication digital signatures key management and other services - that have been validated by government-accredited laboratories. The standard applies to all sensitive but unclassified data such as medical records tax information personnel records and other records that may not be deemed classified but that need to be protected during transmission or storage.
But only five companies - Northern Telecom Inc. National Semiconductor Corp. Motorola Inc. Spyrus Inc. and Mykotronx Inc. - have received validation from the government's two accredited laboratories. Most of these vendors provide products to support the Defense Department's Fortezza program.
Notably absent from the list are companies with large federal customer bases for various cryptographic modules such as Microsoft Corp. IBM Corp. AT&T RSA Data Security Novell Inc. and dozens of other vendors that support cryptography in their products. All smart card smart disc and security token vendors also must be validated under the standard.
Some companies still are in the testing phase. Netscape Communications Corp. has completed all the compliance tests for the standard and the company is awaiting final certification according to a Netscape official.
Although given casual treatment so far by many vendors the standard could have major implications for information technology procurement because agencies are required by the Clinger-Cohen Act to comply with FIPS unless a waiver is issued by the president the secretary of Commerce or the head of an agency said Carl Peckinpaugh a procurement attorney at Washington D.C.-based Winston & Strawn and a columnist for FCW.
FIPS "are mandates on the agencies and the agencies are required to enforce them " he said. "If they're not doing it themselves there are other independent entities such as the [General Accounting Office] and the federal courts that will. There are plenty of [procurement protest] cases where people have alleged failure to provide the specification. That's a legitimate protest if you prove it's a requirement. It's a real good issue."
The standard was crafted in 1994 by the National Institute of Standards and Technology which gave vendors about three years - to June 30 - to receive validation for their products a NIST spokeswoman said. Agencies meanwhile have been allowed to purchase products from companies that had provided written affirmation that their encryption products met the standard.
Digg
De.licio.us
Slashdot
Technorati
