Originally posted in its entirety at AFCEA's Signal Magazine.
For years, NIST’s Federal Information Processing Standards (FIPS) 140-2 validation list read like a Who’s Who of Fortune 100 technology vendors. Only those products that leverage cryptographic modules shown on the list were eligible for federal agency deployment. Until recent changes, only the deepest pockets could absorb the costs of development, testing and expensive consultants to facilitate introducing solutions into the federal marketplace.
Soft costs for FIPS 140-2 validation efforts added up as well, with significant hours required from engineering teams. The result? A huge barrier to entry, effectively blocking any technology company outside of the elite (or rich) from participating in the lucrative federal cybersecurity market. It built a phenomenal feedback loop for those big enough to enjoy it. It was fantastic for the vendors on the inside, but terrible for agencies severely limited in their available options for deployment.