FIPS 140-2 certification for SAP’s crypto kernel
As I already indicated in an earlier blog, SAP is working on a FIPS certification for the crypto kernel of the Secure Login Library component of our SAP NetWeaver Single Sign-On solution. The certification process is well under way, and soon we will conduct the final tests together with our evaluation lab. If you are looking for more information on FIPS 140-2 and what we are going to certify, check my latest article in the SAP Insider Magazine at https://scn.sap.com/docs/DOC-34916. Have fun reading!
SAP received FIPS 140-2 certificate for the crypto kernel of the Secure Login Library!
Annette, what is the current status on FIPS 140-2? The blogs are stale. The assumption was that certification would be completed by September 2013. That was almost a year ago. Should we move to Secude and stop paying maintenance fees on Netweaver SSO?
According to the list that was updated 2 days ago SAP AG is undergoing the phase "Coordination" which doesn't sound too promising...
I don't have any experience with FIPS validation process but based on this definition of coordination it's impossible to tell if it's promising or not. Every testing/review results in some comments/issues that need to be addressed. It really depends on how serious the findings are. That table also shows that most of the products are in this category. So it's really hard to tell.
Cheers
Hi Dirk, and all others who commented on this blog,
SAP submitted all evaluation results and required documentation to the certification body NIST/CMVP in April 2013.
In the "coordination phase" the NIST/CMVP specialists comment on the submitted documents and are in exchange with the validating certification lab. Sometimes these discussions can be very long and extensive and also there happen to be delays because the involved people are not always available. The clarification process seems to be finished by now but we have not heard back from NIST/CMVP, yet. SAP has no influence on the process, its progress or the speed in which its is conducted.
Annette, thank you for the feedback. At one point last year, I had a copy of the FIPS 140.2 certification from the TuV. Is that something you could post or otherwise make available?
I just received information from our evaluation lab that NIST/CMVP requested another change to our security policy. The required change should be the last one and will be submitted within this week. According to the lab the certificate should be there soon then.
Any updates on this?