FIPS testing finds lots of mistakes in crypto IT

FIPS testing finds lots of mistakes in crypto IT

About half of the cryptographic modules submitted for Federal Information Processing Standard validation have security flaws, a survey by the National Institute of Standards and Technology has found. Almost all evaluated products had documentation errors, said Annabelle Lee, director of NIST's Cryptographic Module Validation Program.

Speaking today at the Federal Information Assurance Conference at the University of Maryland, Lee cited the impact the FIPS validation program is having on cryptography vendors. She said 80 of 164 crypto modules submitted for evaluation had flaws involving physical security, random number generation or key management. Of 332 algorithms validated, 88, or about one-fourth, had security flaws, and about two-thirds had documentation errors.

Federal organizations must use FIPS-compliant crypto products for sensitive but unclassified data. FIPS 140-1 was the operative standard until it was replaced last year by FIPS 140-2. Since May, products can be evaluated only against 140-2.

Seven commercial laboratories in the United States, Canada and England are accredited to do the testing. NIST has simplified revalidation requirements to make it easier for 140-1-certified products to be certified under the new standard, Lee said. More than 260 validations have been issued for about 300 products from 60 companies.

About the Author

William Jackson is a Maryland-based freelance writer.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected