FIPS 140 Consulting

ThinqSoft offers full-service consulting for the entire FIPS 140 process. We can help you prepare early and design smartly for an upcoming product validation, minimizing risk and effort. When your validation project begins, we can manage the entire process for you and provide subject matter expertise at every step of the way

Industry Leading Expertise on FIPS 140 Validation

To achieve FIPS 140 validation, we offer the critical elements below as a package or a la carte:

The requirements of FIPS 140 are both restrictive and, at times, non-intuitive. If you have a product you would like to take through the FIPS 140 validation process, ThinqSoft can help you with the architecture of the product to ensure that the FIPS 140 requirements are properly implemented from the start. It is vastly more difficult to try to modify an existing product to “bolt on” FIPS 140 compliance.

As early in your development cycle as possible, ThinqSoft can come on-site to perform a FIPS 140 training seminar and compliance workshop. The entire process takes approximately two days, and should be attended partially or fully by Product leads, Managers, and Engineers.

Topics covered include:

  • FIPS history and necessity, government regulations that mandate FIPS 140, and the sales opportunities that are created with a FIPS-validated product.
  • Competitive analysis of products in your market space with respect to FIPS 140
  • FIPS 140 scope and specific requirements
  • Validation process and timelines

During the workshop, your team will be asked to make a presentation on the security architecture of your product so that ThinqSoft can become familiar with the inner workings. Then, we’ll discuss your architecture with the FIPS 140 requirements in mind, and discover all of the potential compliance gaps in the current design.

A few weeks after the workshop, ThinqSoft will provide a Gap Analysis document that outlines all of our findings about your product. Your engineering teams can use this document for resource and roadmap planning.

Implementing an architecture that satisfies the FIPS 140 requirements can be challenging. ThinqSoft’s engineers are experts at finding creative solutions to these types of tough engineering challenges. Many times, we can address issues with documentation or with minimal changes. In some cases, the requirements mean real changes to core functions. We’ve helped many clients create solutions designed to minimize the disruption to your existing architecture, maintain consistency of your customer’s experience, and enhance the product functionality in complementary ways.

ThinqSoft can be engaged on a per-project or hourly basis. We can provide consulting at whatever scope is desirable, from overall security architecture consulting to focused cryptographic library integration.

A FIPS 140 validation requires detailed documentation about the security architecture of your product. These documents must address the specific requirements of FIPS 140, and must do so in a way that correctly describes the way your module satisfies the requirements. These documents can be challenging to create, and incorrectly documenting your product can introduce delays in the validation process. In a worst-case scenario, incorrect documentation could lead to a negative review by the lab and a need to re-engineer some portion of your product.

ThinqSoft can prepare all of the documentation necessary to satisfy the FIPS documentation requirements, and do so in a way that minimizes the risk during the review stages. We have extensive experience creating these documents, and know how to describe your product in ways that will lead to positive reviews by the validation labs.

ThinqSoft can assist you in managing the entire FIPS validation process. We have a close working relationships with all the major labs and can work with them to ensure a timely and risk-minimized path through the process.

We begin by assisting you in securing competitive bids for the validation of your module. We’ll help you understand the bids so you can make a proper apples-to-apples comparison. Once you’ve selected your preferred lab, we can assist you in getting them under contract. You can contract the lab directly, or ThinqSoft can engage the lab as a subcontract.

Once engaged, ThinqSoft will serve as the Project Manager (PM) for the entire project lifecycle. We’ll schedule and hold weekly meetings with you, and the lab when appropriate, to keep you informed on the progress of the project and to keep everyone on task. We’ll prepare and maintain a schedule with defined milestones to ensure the project is run smoothly.

Our most important function as PM is to be the main Point of Contact for the lab. We’ll field all inquiries from the lab, whether they are general questions about the product or detailed questions about FIPS-related matters. The criteria for FIPS can be esoteric at times, and the language used to describe functionality is not always the same as that which is used in the technology community. We’ll ensure that all of the lab’s inquiries are answered in a manner that is consistent with both the product capabilities and the specific FIPS requirements and jargon.

Upon completion of the lab review, a test report will be submitted to the Cryptographic Module Validation Program (CMVP) office within NIST, the body that oversees the FIPS 140 program. The CMVP review process is long and opaque, typically taking 6-9 months, and is a often a source of frustration within the vendor community. ThinqSoft will monitor the progress of your module through the government review process and keep you informed, as best we can, about the current timeliness of the process. We’ll work directly with the lab to address any additional inquiries made by the CMVP during their review.

Once your validation certificate is issued, we can help you work out appropriate press releases and marketing material to immediately begin to maximize your ROI from the process.

As part of the FIPS 140 process, your module must undergo algorithm testing as administered by the Cryptographic Algorithm Validation Program (CAVP), a companion organization to the CMVP. The completion of testing and issuance of algorithm certificates are necessary for a FIPS 140 validation, and may be necessary for other security programs, such as Common Criteria (CC).

Some cryptographic modules, such as OpenSSL and Bouncy Castle, have considered this requirement in their development and include the capability of performing this testing out-of-the-box. Most, however, have never contemplated this type of testing, and likely are missing some key elements from their API that are necessary for testing. The testing regiment executes the cryptography in ways a typical user would not be allowed to, and requires very precise control over some operations, such as DRBG and RSA Key Generation.

ThinqSoft has developed a test harness that is capable of interfacing with an extremely wide variety of cryptographic modules for the purposes of exercising them in accordance with the CAVP testing regiment. We will work with your engineers to develop a custom interface layer to your module, and can assist your engineers in creating a custom “test version” of your module that opens access to the private functions and precise control that testing requires.

We will work directly with the lab to obtain, execute, and validate the tests for any number of platforms you require. Upon completion, we will ensure proper submission to CAVP and issuance of your algorithm certificates.

Learn More about the ACVPro

Download the ACVPro Overview and see how it can support your FIPS 140 validation projects

Download ACVPro Overview