SafeLogic is simplifying the adoption of FIPS 140



The information age ushered in probably the greatest invention man ever made. Computers and subsequently the internet revolutionized how humans exchange information. With this increased exchange of data and its utilization in fields such as healthcare and the military, the US government introduced computer security standards that specify the requirements of a cryptography module. The National Institute of Standards and Technology (NIST) issued the Federal Information Processing Standards (FIPS) 140 series, and are considered current and active. The FIPS 140 standards were introduced to coordinate the standards for both hardware & software encryption used by the United States federal government. Without this validation, encryption modules are considered to be of unknown quality and placed in the same category as plaintext. FIPS validation is binary, either it’s certified or it’s not certified. If the encryption module is not tested, it’s treated as it doesn’t exist.

NIST and their Canadian counterpart CSE (Communications Security Establishment) teamed up in 1995 to establish the mechanisms for testing and certifying that the FIPS 140 benchmark had been met. The CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program) are dedicated departments, staffed by NIST and CSE employees, focused on FIPS 140 by cooperating with independent, licensed third-party testing labs. While the labs conduct functional testing, they package and submit all the paperwork and it is the CMVP that ultimately reviews the results and issues the FIPS 140 validation.

Inspired by Clients: The Beginnings

SafeLogic Inc. with its motto, “FIPS 140 Simplified” was established in 2012 by Ray Potter, widely recognized in the industry as one of the foremost authorities on FIPS and standards certifications. Spun out from Apex Assurance Group, they now have two offices, in Palo Alto, California, and the Washington, DC beltway region, representing the two areas with a high density of customers. SafeLogic delivers innovative security, encryption, and FIPS validation to applications for mobile, wearable, server, appliance, and constrained device environments while reducing the time and complexity of integrating and validating world-class encryption. 

Since government systems rely heavily on cryptography for data protection and FIPS 140 validated encryption is used in all Sensitive But Unclassified (SBU) federal operating environments, a lot is riding on the enforcement of these standards.

Walter Paley, VP of Communications for SafeLogic shares, “Our founder was inspired by clients, who kept requiring the same features to be custom-built. It was a clear need in the industry and SafeLogic was profitable from Day One.”

The traditional FIPS 140 validation process is time-consuming, costly, and resource-intensive. Additionally, certifications are difficult to maintain for a product developing new features and versions constantly. SafeLogic’s biggest USP comes from its uniqueness, as they build, validate and maintain the FIPS module. They provide encryption solutions, FIPS 140 validation, and ongoing support, which results in massive time & cost savings for their clients. Their strategy allows companies to offload the niche requirement for building, validating, and maintaining the FIPS module and remain on task, building what they do best.

Walter Paley

“Encryption is, or should be, deployed everywhere that information security and privacy matter.”

Game Changers: Specialized Solutions  

SafeLogic is a highly focused team of experts dedicated to FIPS 140 validated encryption, they maintain an aggressive validation maintenance roadmap to support the latest platforms and offer services specifically catering to the needs of the client. Being unconventional and having a visionary hiring policy ensures their relevance, “SafeLogic has always been a distributed workforce, meaning that we’ve always hired the right people, not just the top candidate who happened to live within commuting distance. This put us in a position to continue operations during the pandemic with zero disruption to our work.”

CryptoComply, developed by SafeLogic is a standards-based cryptographic library for servers, appliances, and mobile devices that provides “Drop-in Compliance” which enables full compliance with FIPS allowing their client’s product to be updated and revised with the speed of innovation, the tightness of its validation boundaries ensures compliance. RapidCert, another amazing solution that accelerates the timeline for providing validated solutions results in huge time savings. The RapidCert program in tandem with CryptoComply, allows the user to receive a formal FIPS 140 validation certificate in their name quickly and with no interaction with a testing laboratory, which accelerates the timeline and lowers costs compared to the traditional process.

The key to remaining competitive in the public sector is to keep the product validations current with the latest releases on the latest platforms. As Walter points out, “FIPS 140 has become well known as a building block certification, leveraged as a prerequisite by many technologies approval programs for government and regulated industries like finance, healthcare, legal, and utilities. This was as intended by NIST. As a clearinghouse for the public and private sectors, NIST publications are highly influential. For example, SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, underpins the FedRAMP authorization, while SP 800-171, Assessing Security Requirements for Controlled Unclassified Information, is the basis for the CMMC (Cybersecurity Maturity Model Certification) program. FISMA, DoDIN APL, Common Criteria, HIPAA, and HITECH healthcare regulations all follow suit, specifying the dependency on FIPS 140 validation for any cryptography deployed within the solution.” 

SafeLogic’s product line generates cutting-edge technology which enables them to meet the requirements in government, military, healthcare, and other regulated industries. They work with early-stage start-ups and also with industry giants like Raytheon, Oracle, Juniper Networks, Hewlett Packard Enterprise, and Symantec. They have clients who are providing specialized solutions to hospitals and law enforcement, for satellite imaging and smart printers, for identity access and single sign-on, in data centers, and on mobile devices. 

As Walter emphasizes, “Encryption is, or should be, deployed everywhere that information security and privacy matter.”

In a short period, SafeLogic technological acumen has bought in many accolades, including several InfoSec Awards from Cyber Defense Magazine, ASTORS Homeland Security trophies from American Security Today, Cybersecurity Excellence Awards, CyberSecured Awards, the Govies, and others.

The CTO of Nukona, acquired by Symantec, Jeff Enderwick’s testimonial sums it all up, “The actual integration was amazingly fast and easy. With the help of the SafeLogic support team, it only took one of my developers two weeks to replace the old crypto library, drop in the CryptoComply package and complete initial testing. As far as I am concerned, we shrank a 2-year project down to 2 weeks. In fact, it was just like ‘push the button’ and it was done!

Trends & Challenges: Future Prospects

There has been a popular misconception amongst businesses that they are either too small to be hacked or too obscure to be targeted. As Walter explains, “That is absolutely untrue, particularly for customers like ours, who hold sensitive data about their contracts and deliveries to the federal government, for example. Encryption is the very least that companies can do to protect that data.” 

The pandemic has affected every business, although some businesses like SafeLogic grew exponentially during this time. Many of their customers saw a significant increase in technology and security as millions started working remotely. They had to scale up to meet the ever-increasing demand. Their mantra is to, “Keep on listening to customers, building what they need, and delivering it even better than they imagined!”

The future of the cybersecurity landscape has clear indicators, machine learning and automation will continue to grow in relevance and their importance in the cyber defense industry, as the industry will have to keep on constantly adjusting and responding to the types and frequency of attacks. A mega part of corporate strategy will be adaptability, as government contracts will constitute larger and larger portions of vendor revenue streams. SafeLogic is ready for the future, with increased demand as more and more vendors look to satisfy prerequisites to enter the space.