Published in Military & Aerospace Electronics
ASHBURN, Va. – In the world of security and trusted computing, there are many different disciplines involved, from cyber security to safety certification. With a constantly evolving set of standards and possible certifications, it can be confusing to understand what certifications might apply to your system, which of those are worthwhile, and what the important aspects are when considering certification or certified products.
There are certification authorities involved in trusted computing, which oversee different disciplines they oversee. It can be a challenge on when to get these certification authorities involved and make judgments on which these bodies are relevant in the U.S. and some international markets.
The National Institute of Standards and Technology (NIST) manages myriad standards across many industries. Some of these standards include areas of trusted computing, including cryptographic algorithms and documents used to define the Risk Management Framework (RMF).
Here are some of the certification programs related to trusted computing in military and avionics applications that are administered by NIST.
The Cryptographic Module Validation Program (CMVP) is administered together by NIST and the Canadian Centre for Cyber Security (CCCS). This program performs independent testing of cryptographic modules at independent labs for conformance to FIPS 140-2 Security Requirements for Cryptographic Modules. For stand-alone cryptographic modules, this certification can show thorough testing to provide confidence to customers on the security and implementation of cryptographic algorithms. FIPS 140-2 provides for multiple security levels (1 to 4) mainly related to physical security capabilities, so vendors need to ensure that they apply for the appropriate level of certification, and customers need to verify that products are certified to meet their required level of security.
The Cryptographic Algorithm Validation Program (CAVP) ensures that cryptographic algorithms have been faithfully implemented, either in hardware or software. CAVP is a prerequisite to CMVP. Systems designers can select subsets of algorithms for validation, and NIST maintains the list of certified testing laboratories and validated algorithm implementations.