Security VARs Tackling Government Accounts Must First Tackle Lingo

There's Common Criteria, the Federal Information Processing Standard (FIPS) and the Defense Information Infrastructure Common Operating Environment, a set of mandates specific to the Department of Defense. And that's just for starters.

Companies that want to succeed in selling security solutions to the feds would be wise to brush up on these terms, learn which ones apply to the products in which they specialize and keep track of where products stand in terms of earning certifications.

For example, earning FIPS 140-2 certification, which applies to cryptographic modules, means that the cryptography is designed and implemented in accordance with many different parameters set by the National Institute of Standards and Technology (NIST).

Both solution providers and vendors should become familiar with the range of certifications, observers said.

"I recognize these different certifications as important because the government has deemed them important," said John Weathersby, president of Open Source Development Group, an open-source training company in Oxford, Miss. "If I want to sell to the government, then I have to play by its rules. It's complicated, but that's the price of doing business with the government."

Weathersby is also chairman of the nonprofit Open Source Software Institute. The OSSI, whose members include the GNOME Foundation, Hewlett-Packard and others, is part of a team working to get FIPS 140-2 certification for an open-source cryptography product. Weathersby said he cannot yet divulge details of the effort.

A recent addition to the roster of terms is the National Information Assurance Partnership (NIAP).

Sponsored by the National Security Agency and NIST, NIAP seeks to develop programs that gauge the capabilities of products used to conduct security certifications for federal agencies. It also verifies that individuals performing the audits and providing other security consulting services are qualified to do so.

Solution providers said their customers' awareness of NIAP is limited.

"Some of their internal IS staff are exposed to NIST marketing through trade shows, but NIAP is not an industry standard per se," said Thomas Brennan, president and CEO of Federal Systems Group, Whippany, N.J.

Different security criteria "solve different 'nichey' [issues. As technology changes, different requirements are put in place," Brennan said.

In fact, many of Federal Systems' customers ignore which products have earned which certifications, he said, adding, "They pay more attention to the quality of service we give."

Vendors, on the other hand, are anything but quiet when they earn compliance with a given certification.

This fall, Microsoft trumpeted its success in earning Common Criteria certification for Windows 2000 and said it would try to duplicate the effort on behalf of Windows XP and Windows .Net Server.

Sun Microsystems, for its part, said in September that it had successfully gotten Solaris 8 through the Common Operating Environment Kernel Platform Compliance program, which makes it easier for this version of Solaris to be used in Department of Defense engagements.

Industry watchers are waiting to see when a Linux product will earn certification from the feds. Numerous projects to make that possible are under way, Weathersby said.

Red Hat CTO Michael Tiemann told CRN recently that he expected his company's Linux operating system to meet the NIAP criteria within a year.

"Someone told me yesterday that Red Hat can't afford to do a NIAP certification," Tiemann said. "Well, we have $280 million in the bank."