OpenSSL Receives FIPS 140-2 Validation

The Defense Medical Logistics Standard Support (DMLSS) program, Open Source Software Institute (OSSI) and OpenSSL.org Project announced today that OpenSSL has received FIPS 140-2 validation by the Cryptographic Module Validation Program (CMVP).

OpenSSL is an open source library that provides cryptographic functionality to applications such as secure web servers. The CMVP, a joint effort between the National Institute of Standards and Technology (NIST) and the Canadian Communications Security Establishment (CSE), validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography-based standards. The FIPS 140-2 standard specifies the security requirements that are satisfied by a cryptographic module utilized within a security system protecting sensitive, but unclassified, information.

The official validation certificate (# 626) called TID 290 – 443 OpenSSL FIPS Cryptographic Module by Open Source Software Institute will be posted at the NIST FIPS 140-2 Cryptographic Modules Validation List ( http://csrc.nist.gov/cryptval/140-1/1401val2006.htm).

The validated OpenSSL module and source code will be available at the OpenSSL.org website and all security policy and user guide documents will be available for viewing and downloading at the OSSI website (www.oss-institute.org). According to OpenSSL Project team members, the FIPS validated module will be included into the next OpenSSL release, 0.9.7j. The validated version will be supported in subsequent releases by the OpenSSL.org Project.

The OpenSSL toolkit is licensed (http://www.openssl.org/source/license.html) under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

“This validation is critically important for two reasons,” said John Weathersby, OSSI Executive Director. “1) technically it means that OpenSSL has gone through and passed the same federal security validation process as other validated proprietary solutions; and 2) by receiving the FIPS 140-2 validation, products that include the validated OpenSSL module can be purchased and used within the government and Department of Defense systems.”

“The DMLSS program is heavily dependent on OpenSSL based cryptography, so this validation will save us hundreds of thousands of dollars,” said Debora Bonner, DMLSS Director of Operations at the DMLSS Program Management Office. “Multiple commercial and government entities, including Medical Health Systems (MHS), have been counting on this validation to avoid massive software licensing expenditures. The three year validation process was an ordeal, but our persistence finally paid off.”


# # #