Professional Documents
Culture Documents
Security Division (CSD) and CSEC jointly serve as the validation authorities for the program, validating the test results and
issuing certificates.
The basic steps involved for a COTS storage company to
become validated under FIPS 140-2 include:
1. The COTS company hires a FIPS consultant in order to
avoid costly design mistakes and schedule slips.
2. The COTS company and consultant work in concert to
architect the hardware and firmware designs.
3. The COTS company and consultant determine which part
of the product is to be validated. This means defining the
encryption envelope.
4. The COTS company develops the storage product under
company-paid IRAD.
5. The COTS company hires a NIST-accredited testing lab.
6. The COTS company sends the product to the testing lab.
7. The COTS company makes changes as discovered by the
testing lab.
8. The COTS company locks down the exact configuration.
9. The testing lab submits a report directly to NIST.
10. The COTS company and the testing lab respond to any
concerns from NIST and wait until the report is accepted
and the validation certificate is issued.
The process for development and FIPS validation of a storage
product is both costly and time consuming. Steps 1 through
9 might take up to 2 years to accomplish depending on the
product complexity. Step 10 can take up to a year just for
awaiting the actual certificate.
To protect SBU data, a lower-risk and less-costly approach
is to utilize COTS products that have already been validated
to FIPS140-2. An example of a COTS data recorder with
FIPS140-2 validated storage is the Curtiss-Wright Vortex 3U
FIPS Data Recorder, a rugged, open architecture COTS-based
data recording system. Curtiss-Wrights 3U OpenVPX flash
memory-based Vortex Storage Module (FSM) provides the
FIPS140-2 validated encryption. It is combined with an Intelbased single board computer running Linux and a recorder
application. By including this FIPS recorder system in a rugged
four-slot VPX chassis, the recorder memory is scalable from 1TB
to 6 TB. Utilizing such a data recorder system with FIPS140-2
validated storage, SBU data-at-rest can be secured to a recognized standard with no schedule risk.
Paul Davis
Director of Product Management
Curtiss-Wright Controls Defense Solutions
www.cwcdefense.com