Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
The Problem with POA&Ms
March 30, 2021 •Walt Paley
You did your 800-171 (the NIST publication on Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) self-assessment and did well. You even uploaded your report to SPRS (Supplier Performance Risk System). Most of the 110 controls were already all set and the leftovers were addressed with POA&Ms (Plan of Action & Milestones). You were feeling good about Cybersecurity Maturity Model Certification.
Then you got the word - CMMC auditors won’t accept POA&Ms. Zero. None. Zilch.
For most of those leftover controls, that’s not a big deal. You were already firming up and completing the steps to meet the requirements. A few new protocols hadn’t been implemented yet, but internal training was already scheduled so it will be addressed shortly. You run back through the checklist and your actions are all going to fall into place and the POA&Ms will be removed with time to spare before the auditors arrive... except for one. FIPS-validated encryption.
The timeline to achieve FIPS 140 validation for encryption has traditionally been 12-18 months, but you heard that the CMVP (Cryptographic Module Validation Program) was under-resourced and running a deficit on their testing queue, so the timeline is definitely getting even worse. CMVP is something of a black box when it comes to timing, so the idea of waiting indefinitely for a FIPS validation is a non-starter. The C3PAO auditors (CMMC Third-Party Assessor Organization) aren’t going to accept that. This is the problem with POA&Ms. CMMC just isn’t allowing for that kind of deferral.
This is where SafeLogic excels.
Our RapidCert program, the simplified and accelerated FIPS validation service, is tied to our portfolio of CryptoComply modules. Each version of CryptoComply has already been lab tested, certified, and validated by the CMVP, which means that if you license, integrate, and deploy CryptoComply, we can initiate a RapidCert and have a validation in your name in less than 8 weeks. Yes, you read that correctly.
Forget the 12-18+ month waiting list. Forget about building a module from scratch and testing each algorithm individually. Forget about the documentation effort and coordinating with a lab. Forget about incurring hours with a consulting firm. And forget about pulling engineers from their product-focused tasks to ask them to deal with FIPS.
We will help you identify the right version of CryptoComply for your use case. Then it’s plug-and-play. You can even do the integration in parallel with our validation efforts to maximize the time savings and increase the competitive advantage. Don't waste any more time - if you need FIPS validated encryption to sell your products under CMMC certification, let's talk asap.
Walt Paley
Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.
CryptoComply• C3PAO• POA&M• CMVP• FIPS 140-3• Industry News• NIST 800-171• parallel• FIPS 140• NIST• SPRS• queue• RapidCert• CMMC• simplify
Popular Posts
Search for posts
Tags
- FIPS 140 (112)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (20)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- post-quantum cryptography (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- PQC (10)
- Cloud (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- OpenSSL 3.x (4)
- TLS 1.3 (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- POA&M (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)