Home >

Administration Guide > Standards and Validations > About FIPS Validation

About FIPS Validation

In many areas of the information security industry, validations against independent or government standards are considered a desirable or essential attribute of a product. The pre-eminent standard in the field is the FIPS (Federal Information Processing Standards) 140 standard from the United States government's NIST (National Institute of Standards and Technology at http://www.nist.gov).

SafeNet routinely seeks FIPS validation for our Luna products. We were among the very first to achieve FIPS 140-1 validation for an HSM, and have since re-submitted our Luna products when the standard changed (to 140-2) and whenever improvements to our product (or the introduction of new products) introduced enough change that the previous validation did not cover. Since the first, we have never failed to achieve the validation whenever we submit a product or variant.

In the case of appliance products, such as the Luna SA validation is performed against the HSM Keycard inside the appliance, and not against the entire appliance. Furthermore, the validation of the HSM is for a particular firmware version, only.

However, the process of re-validation, though shorter than a new, first-time validation is nevertheless lengthy and involved. Therefore, whenever we introduce a new product, or a product variant that is sufficiently modified to require a new validation, there is a delay of several months until the validation certificate is granted.

Also to be considered is that validation can be a moving target. A product that received validation against the standard several years ago might not pass today, not because the standard has changed, but because interpretation has evolved or because testing organizations have revised their emphasis in some areas.

Finally, older standards give way to newer. Due to the expense and time constraints, companies tend to stay with a previous version of an optional standard until there is sufficient market demand for validation to the newer standard.

What does this mean to me?

Check with SafeNet to learn the most current validation status of any product, or click the NIST link, above. If FIPS validation is a primary concern for your application, you may need to use a previous, validated version of a product, and forego the latest improvements and features. During the lifetime of a product, we try to ensure that a FIPS-validated version remains available for purchase, despite the existence of newer firmware and hardware versions (see note below).

If the features of a new release are critical to your application, and FIPS validation is not a gating requirement, then you can use the newest product release. Based on past performance, the most recent release is likely to receive validation within months.

Note:   It can happen that external circumstances make it impossible to fulfill the availability policy. An example from our own history was the introduction of the RoHS (Reduction of Hazardous Substances) legislation in the EU. Even where a company retained the capability to manufacture older-version units, they were no longer permitted to sell those older-design products to any country that abides by the RoHS regulations. In other cases, suppliers might no longer have stocked the non-RoHS parts that were used in the older design, and demand might not have justified their creating equivalent parts that meet RoHS standards. In such a situation, we could sell only the newer, RoHS-compliant product, while waiting for it to achieve FIPS (or other) validation.

"About HSM NOT in FIPS140-2 Approved Mode" for more information.