FAQ's

How do I get my product tested?
Submit your product and documentation to the SAIC Cryptographic and Security Testing Laboratory (CSTL). The laboratory analyzes your product documentation for compliance with FIPS 140-2 requirements. If the product is compliant, the test results are forwarded to the National Institute of Standards and Technology (NIST), which will issue the validation.
What must I do to prepare?
The client seeking certification must submit the required documentation. Some of the client's existing product documentation may be appropriate but there are several documents that must be created by the client or a consultant. Many potential clients are surprised at the real work involved even when they have some of the required material.
What documentation is required?
Required FIPs 140-2 documentation from the client must give enough information to satisfy all the applicable categories of security requirements listed in FIPS 140-2, some of which are applicable to hardware, some to software, and some to both. These categories are:
  • Module Source Code
  • Test Case Results
  • Non-proprietary Security Policy
  • User and Crypto-Officer manuals
  • Module block diagram
  • Module design specification
  • Software Source Code
  • Correspondence of Module to Security Policy
  • Physical Security Summary
  • Design Assurance
  • Attack Mitigation
In addition, NIST requires that every vendor supply a non-proprietary security policy document with each validated module. A review of the FIPS PUB 140-2, the Derived Test Requirements, and Implementation Guidance will clarify the applicability and requirements of each documentation category.
What if I need help creating some or all of the required documentation?
The SAIC CSTL will recommend the most economical production process for the developers to write documentation that completely satisfies FIPS 140-2 requirements during the initial assessment. We understand that documentation production can be time-consuming, difficult to produce, and costly. The SAIC CSTL will provide strategies in assembling, preparing, or writing the proper documentation.
What happens if my product fails?
SAIC is committed to helping vendors get through the validation process. However, sometimes the module or its documentation does not meet the requirements. If the module under evaluation does not pass the requirements for validation, SAIC will contact the client to discuss corrective action.
What is the cost of testing?
The cost depends on the security level required, completeness of available documentation, nature of the product (hardware vs. software), previous analysis and evaluation of versions of the product, and validation timeline. A cost recovery fee is also charged by NIST for the validation of cryptographic modules. Contact us to schedule a telephone conference, request a rough-order-of-magnitude quote, or a formal proposal.
How long does it take to get certified?
Actual laboratory testing will depend on the required security level and averages between 30 and 90 days. However, documentation is usually an issue as well as the availability of an NIST evaluator. SAIC recommends planning on the total process to take one year.

 

Interested? Contact Us!


SAIC Corporate Headquarters:
10260 Campus Point Drive
San Diego, CA 92121
www.saic.com

Products & Services Phone:
1-800-430-7629
+44 (0) 845 366 7242 in the UK
+44 (0) 1355 845526 all other European locations