We have exciting news to share: the process to acquire the FIPS 140-3 certification for the Trident HSM Cryptographic Module has started. Soon our product will not only be a CC certified HSM but a FIPS 140-3 certified HSM, too.
Certifications are commonly used in many fields of IT. They assure customers that they can trust a product, as they demonstrate that the solution complies with the strict requirements established by trusted, competent and independent organizations. In order to achieve a certification, the product is evaluated and tested in accredited laboratories with various methods, including quality and performance tests. These tests are conducted by independent experts. Finally, the results of the evaluation are examined by relevant government agencies before the certification is obtained.
This method ensures that the product functions as the manufacturer advertises it and meets strict criteria. The gained certification is to confirm the features and benefits for the customers, removing the burden of comprehensive product evaluations from the shoulders of project managers or decision makers in charge of purchases.
Government agencies are often required to purchase and use certified solutions only. Public organizations often prefer to follow the government institutions and buy certified products just to be sure that they are using a solution that is guaranteed to be reliable and secure.
FIPS of CC?
Two major standards are in use for HSMs: the Common Criteria for Information Technology Security Evaluation (Common Criteria or CC for short) and the Federal Information Processing Standard Publication 140. The FIPS standards have recently been modernized. The previous version of the standard, FIPS 140-2 was published in 2001 and it has been recently replaced by FIPS 140-3, which is now the required standard everywhere. This version has been published on 22 September 2019, and the first validation processes for this standard have just started.
We’ve published a whitepaper on the comparison of the two certificates and their validation processes and levels, you can download it here if you’re interested in more details.
These standards regulate what features an HSM should contain and guarantee in order to provide the required level of security. In Europe, CC is the preferred standard, while in the USA, FIPS is the usual requirement, since this standard is issued by the United States and the modules are validated by NIST, National Institute of Standards and Technology
Trident HSM aims for both
Trident HSM has already been CC certified since May 2019, when the first version of Trident HSM received the Common Criteria EAL 4+ certification (EAL4 augmented by AVA_VAN.5 and ALC_FLR.3), after a long process that took a lot of time, effort and expense. It has been continuously updated since then. Whenever a new version of Trident HSM is released, we always go through the certification process again and again, so the customers can use the latest version with complete confidence. The latest version, which is Trident HSM 3.1, will receive the CC certification within a few months.
Now the big news is that we have started the process of obtaining FIPS 140-3 certification besides the CC. The testing and evaluation for this process is always done by an independent laboratory. We are working with DEKRA to obtain the FIPS certification. We appreciate their expertise and cooperation, and we are confident that they will move quickly with the assessment, and the process will be completed in the shortest possible time.
The process is now at the point where the product has been added to the IUT (Implementation Under Test) List, from there it will move to the Modules In Process List, when it is actively being worked on in the NIST Cryptographic Module Validation Program. Then it will move to the Validated Modules when the process is complete and Trident HSM achieves the FIPS 140-3 certification.
There are many points where the requirements of the two certificates are aligned. But it guarantees the highest standards and the highest level of security to have both of them, proving that the Trident HSM meets the requirements all over the world.
We will publish an update as soon as we have new information on the process. In the meantime, learn more about the unique features of Trident HSM, or contact our colleagues to find out how Trident HSM can offer an excellent solution to your specific data protection challenges and cryptography needs!
#hsm #fips #cc #certification