Ultra Intelligence & Communications

Government Certification for Cybersecurity – Why It Matters

March 26th, 2019 / By

Several of 3eTI’s cyber-secure products have been through the rigorous testing required to receive government certification. WiFiProtect and CyberFence hold CC and FIPS 140-2 Level 2 certifications, and Criticom ISEC bears the TEMPEST certification. But what exactly does that mean and why does it matter?

It Starts With Standards

Certifications signal that products and processes meet certain standards. Standards are agreed-upon expectations and best-practices. Without them, there would be no uniform way to evaluate and distinguish IT products and processes. Here are some of the standards that matter to the US government.

  • National Information Assurance Partnership (NIAP) is a US government initiative to meet the security testing needs of both information technology consumers and producers. It is operated by the National Security Agency (NSA), and was originally a joint effort between NSA and the National Institute of Standards and Technology (NIST). It is the governing body that oversees the implementation and application of the Common Criteria (CC) certification for Information Technology Security Evaluation, an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments.
  • Federal Information Processing Standards (FIPS) describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. There are many levels of FIPS but in regards to 3eTI products FIPS 140-2 sets standards for cryptographic products.
  • Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST) is a National Security Agency (NSA) specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations.

While there are other nations, like the UK, which have similar government standards and certifications, there are no industry certifications for security or cyber products that are equivalent to these government validations. Government certifications often have requirements for robustness, information assurance, and security/compliance. Commercial industry certifications are typically related to safety, emissions, environmental, and ruggedness.

Industry vs. Government Certifications

If a product has a government certification, does it need an industry certification? Certification is always voluntary and requirements for certain certifications are at the discretion of the buyer. While FIPS 140-2 level 2 is mandated for crypto products within the DoD passing information at the secret level or below, they could have differing opinions on, for instance, the adoption of a UL certification regarding electrical safety.

Other federal agencies might not require FIPS 140-2 Level 2, but perhaps Level 1. However, there are overlaps between government and commercial industry. For instance, HIPAA laws require protection of patient data, which applies not only to commercial medical systems but also government ones as well, such as a VA hospital. The VA hospital would be required to protect patient data under HIPAA laws but then because it is a federal medical facility there are additional requirements for FIPS 140-2 adherence. This would lead to stricter security requirements for the VA hospital when compared to a commercial one. However, there is no HIPAA certification so the only certification the vendor would need to service the VA hospital is FIPS. There are also some certifications that will be needed for any industry, such as FCC regulations that any electrical interference (emissions) from a device are under limits set by the FCC.

The Cost of Assurance

Does having a government certification or validation add to the final cost of a product? Simply – Yes. The process for obtaining these certifications can often take six months to two years, depending on the staff support and budgeting. The process itself can cost hundreds of thousands of dollars in testing and development, not to mention any changes that may arise during vetting to ensure compliance. So why bother with a government-certified product if you can get a non-certified product that does the same thing for less expense?

It is not always a simple question of cost, but more so of assurance. Third-party validation is a stamp of approval saying that the product meets certain standards and these claims have been verified by a neutral party. With government certified solutions, customers can be assured in their security solutions; they can be confident in the way a device handles information assurance and compliance. Many companies can offer encryption solutions but are they doing it in a way that is secure? How are they handling the key exchange? Is it a proprietary process that could be vulnerable or exploited, or is it a standard process that has been proven to work, without known exploits? These are all questions that can be answered with the right certifications.

Having a product with government certification may cost more upfront, but how much will it cost your business without it? In today’s increasingly connected business environment, it’s not just defense contractors, utility providers, and contractors working in hostile environments that can benefit from systems that guarantee a certain level of security. A recent Accenture report estimated that global companies could incur $5.2 trillion in cybercrime costs and lost revenue associated with cyberattacks over the next five years. How much is your company willing to bet on a less reliable cybersecurity solution and a motivated hacker?