Home
Join

4 Replies

  • A piece of network equipment is not "compliant" if it

    1. Does not use protocols and encryptions that are deemed "secure."

    2. The manufacturer did not pay for the testing required to have the device "certified."

    Most devices fall under option 2. The bigger companies that can afford the certification pay for it and do so to get those government contracts.

    If you see one model switch or firewall is "certified" and a similar model is not, it's less likely to be an operational issue than one of having paid for the cert.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • SPR1 wrote:

    Just wondering what makes this hardware compliant with fips140-2 compared to any other regular network switches ?

    I wasn't in charge of such a compliance request. So I did not dive deeper into this particular one. Typically, you'll need not only matching hardware but also matching configuration to become compliant. For security compliance, I repeatedly encountered case 2 of Roberts reply. And when looking on those manufacturers websites, you may even find additional info with which setup and configuration such a certification was achieved.

    And several modern compliance requirements cannot be met statically once for all. They require to establish security processes with some compliance requirements too, if this has not already been the case for other reasons, e.g. to monitor the manufacturers security advisories.

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • to add additional information - even if a model is on the list it is not automatically compliant. It will need to be configured in accordance with guidelines - vendors often provide specific instructions for this.

    This still does not mean you are compliant with NIST 800-171 - just that specific bit will be.

    This is quite a good summary https://www.nist.gov/blogs/manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-i...

    I would recommend this sentence " The first thing they should keep in mind is that being DFARS compliant likely involves working with a cybersecurity consultant that knows the NIST SP 800-171 requirements inside and out".

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • Adding to this, keep in mind to remain compliant, one requires dedicated staff who understand what they're doing, how they're doing it and how to maintain it.
    The process is basically known as RMF--Risk Management Framework. It requires continuous monitoring, adapting to constant threats and changes in the IT landscape.

    If you're not very familiar with this, have a look at CISecurity.

    Learn all you can--take it in bite size chunks. There's a lot to learn.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down

Read these next...