It’s common in the networking space to hear that a product is “FIPS certified” or using “FIPS validated cryptography” as a selling point. Sometimes commercial customers may even be told that a product is “Common Criteria validated” or “on the DOD Approved Product List,” with the implication that said product is “good enough for the intelligence community or the U.S. Army, so it’s good enough for you.”
One way in which the nature of federal certifications may arise is in the context of network security. Network security refers broadly to architectural principles and everyday practices organizations use to mitigate risk associated with a cyberattack. Potential attacks can be carried out via the network, or the network infrastructure itself could be vulnerable to attack. Commercial customers may assume that using federally certified products inherently enhances network security.
But is that actually so? Does a product having one or more federal certifications really mean that it is more secure, or better than a product which doesn’t, and should that drive commercial purchasing decisions? What, exactly, does a commercial customer get out of having a certified product?
First, it’s important to explain what the various federal certifications related to product security are, their relationships to one another, and what problems they’re intended to address. Understanding those key facts explains why a product’s certification status may or may not factor into a commercial purchasing decision.
Understanding U.S. federal certifications
If you are evaluating networking and network security products, you may encounter claims pertaining to a variety of certifications. How do U.S. federal certifications differ?
HPE Aruba Networking Trust and Assurance (ATA) deals primarily with the following federal certifications relevant to product security:
- Federal Information Processing Standard 140-2 (FIPS 140)
- Common Criteria (CC)
- Commercial Solutions for Classified (CSfC)
- DoDIN Approved Product List (DoDIN APL)
Federal Information Processing Standard 140-2
The Federal Information Processing Standard (FIPS 140) validation focuses on the correctness of cryptographic algorithms, and the resistance of the certified product or module to cryptanalysis and side-channel attacks against the security of the cryptography provided by the product. FIPS 140 validation of a product or, at the very least, proving that the product is using a validated module (such as OpenSSL) in a compliant way, is required for federal government sales. FIPS validation is assessed via licensed third-party testing labs before a final certification is provided by the government.
Common Criteria and Commercial Solutions for Classified
Common Criteria (CC) leverages FIPS validation of the cryptography portions of the product, then assesses the product against a set of Security Functional Requirements (SFRs), which are intended to address specific concerns enumerated in the Security Problem Definition found within a specific Protection Profile.
The related Commercial Solutions for Classified (CSfC) certification builds on Common Criteria by stating which selections must be made (or configured after the fact) for the product to be suitable for use in Top Secret environments. CC conformance is tested by licensed third-party labs before final certification is provided by the government.
DoDIN Approved Product List
Finally, DoDIN Approved Product List (DoDIN APL) inclusion is all but mandatory for a product to be allowed to be purchased by the US Military. To be eligible, a product must have begun evaluation for Common Criteria, if a NIAP-approved protection profile is found to apply to it. It is then subject to more stringent runtime configuration and operational requirements, as well as strict testing regarding performance and interoperability. This testing is performed directly by the Department of Defense, not by third-party labs.
Network security product and certifications example
Let’s look at an example of an HPE Aruba Networking network security product that has achieved multiple certifications. HPE Aruba Networking ClearPass enables organizations to define, apply, and enforce network access control policies throughout their networks. ClearPass Policy Manager is FIPS 140-2 Level 1 validated. ClearPass Policy Manager also appears on the DoDIN Approved Product List (DoDIN APL). ClearPass also meets Common Criteria requirements for NDcPP + Authentication Servers. These certifications mean that federal, military, and customers with additional SFRs could use ClearPass in their environments.
Why do federal certifications exist?
Federal certifications provide a standardized way of ensuring that commercial-off-the-shelf (COTS) products meet stated minimum-security requirements before conducting further assessment to determine whether the product provides a solution that a federal customer is looking for. By offering a pathway for COTS solutions, federal customers can have a wider range of options at a reduced cost and time to implement compared to the RFP process for custom-made solutions.
But make no mistake—all these products are, in fact, commercial solutions. Some may have been designed with government sales in mind, but for many, that was merely an afterthought.
What’s the catch?
There are a few things commercial customers need to be aware of when considering federal certification status while evaluating products. Often there are a lot of assumptions involved, which may not be relevant to the customer’s use case. This is particularly true with Common Criteria, especially around “evaluated configurations.”
A product is certified through Common Criteria by testing a specific set of claims against an approved range of selections. Often, the product must be configured in a specific way to meet the requirements, called the evaluated configuration. The evaluated configuration is often a subset of the product’s actual capabilities, either because some services are out of scope, or because the service doesn’t conform with Common Criteria requirements. Any deviation from the evaluated configuration would mean the product as configured is not actually in compliance with Common Criteria.
You can see, then, why this may not be a great selling point for commercial customers.
Additionally, what’s allowed by FIPS, Common Criteria, and CSfC in terms of cipher suites for services such as TLS or SSH, is rather restrictive compared to what might otherwise be enabled. Cryptographic ciphers built around ChaCha20, for instance, which are widespread commercially, are not approved by any government certification.
Government certification: What are the benefits?
Why would a commercial customer want a product that has a government certification? What value is there when purchasing decisions aren’t affected by law? Reasons to consider products that are federally certified include:
- Cryptography in the product has been well vetted for correctness and security.
- Anything in scope of the certification has been independently tested and proved to work, at least in accordance with the evaluated configuration
- The released version has no public vulnerabilities against it, at the time of the certification being issued, or there is a remediation plan in place to quickly patch those vulnerabilities
- There is a reduced likelihood that hardware and software components in the product have been manipulated by anyone in a hostile country as HPE Aruba Networking only certifies TAA-compliant SKUs
- All other HPE Aruba Networking product security programs still apply, ranging from our ever-improving software development lifecycle to constant red-teaming via Bug Crowd
HPE Aruba Networking uses software development lifecycle and secure software development best practices for its networking and network security products to help protect organizations from unnecessary exposure to risk.
It is important to note that the core value add of having a product run through independent testing holds true whether you operate it in an evaluated configuration or not. The lab may find additional quality issues that were not part of a QA test plan, for instance, during testing.
Assessing the added value of federal certifications
Whether a commercial enterprise will get any added value out of choosing a product with one or more federal certifications is a valid question. If the product isn’t going to be operated in accordance with the evaluated configuration, then it’s a moot question. But the customer should know what the evaluated configuration is before weighing the value of certification. Luckily, that information is public.
The information necessary to make an informed decision is publicly available. For HPE Aruba Networking network and network security products, you can find details online:
- HPE Aruba Networking FIPS module validations
- HPE Aruba Networking Common Criteria compliant product list
When assessing if the validated or evaluated configuration of a product is going to meet your needs, you’ll want to look at the FIPS Security Policy and the CC Security Target and User Guidance.
Mostly, you’ll want to check on whether any functionality could potentially break your ability to manage or interoperate the product, and if so, whether you have to configure it to be in that state or if it’s like that out-of-the-box. For example, if you have older wireless clients that can’t use the restrictive set of allowed WLAN settings, then you would want to take that into consideration. Either way, you would have to forego operating in the evaluated configuration, or you would need to upgrade the wireless clients.
Key takeaways: Network security, federal certifications, and you
While various federal certifications exist to meet specific government requirements, commercial customers benefit from quality and improved baseline security of a product that has been through the certification process. However, to achieve the full value of purchasing a certified product, it must be operated in the evaluated configuration. Commercial customers need to take more care in assessing whether that evaluated configuration is going to meet other business needs of their organization.
More information on HPE Aruba Networking network security products:
