A Golden Age in Federal Technology Procurement

The National Institute of Standards and Technology's (NIST) benchmark for encryption modules has seen recent innovation, opening the playing field for competition.

For years, NIST’s Federal Information Processing Standards (FIPS) 140-2 validation list read like a Who’s Who of Fortune 100 technology vendors. Only those products that leverage cryptographic modules shown on the list were eligible for federal agency deployment. Until recent changes, only the deepest pockets could absorb the costs of development, testing and expensive consultants to facilitate introducing solutions into the federal marketplace.

Soft costs for FIPS 140-2 validation efforts added up as well, with significant hours required from engineering teams. The result? A huge barrier to entry, effectively blocking any technology company outside of the elite (or rich) from participating in the lucrative federal cybersecurity market. It built a phenomenal feedback loop for those big enough to enjoy it. It was fantastic for the vendors on the inside, but terrible for agencies severely limited in their available options for deployment.

Over time, new strategies and products were introduced into the private sector, and the government realized that the grueling 12+ month FIPS validation process meant that technology was at least a year old before it ever reached the field. That doesn't even factor in product updates, revisions and customization, which almost always add significant delays. In the end, deployed technology routinely remained in use long past the intended lifespan. Equipment approaching obsolescence reliably reveals vulnerabilities, especially considering the persistent threats posed to the public sector by hackers. That compromise didn't sit well with the cybersecurity community.

Industry responded with a series of solutions that accelerate the FIPS 140-2 process, delivering new validations in weeks rather than months, and lowering the financial overhead and overall risk. It succeeded in opening the market to startups and midsize companies. A long-overdue revision to the standard, FIPS 140-3, is projected to be active within the next few years, good news considering the current version has eclipsed 16 years in use. NIST and its Canadian counterpart, the Communications Security Establishment, jointly administer the validation process and promise advances in automation and processing procedures to maintain the future viability of the standard.

Thanks to these improvements, more vendors can qualify and compete for federal tech dollars, a move helping to usher in a renaissance era of technology with more choices than ever for federal agencies. Federal spending, especially on cybersecurity, is firmly in the public eye, and this is a case of the customer—agencies and ultimately the taxpayer—benefiting in a big way from the influx of competition.

Ray Potter is CEO and co-founder of SafeLogic.