What a crock.
Lots of vendors who understand nothing about the government's security requirements like to advertise that they offer "government-grade" security, or the even more impressive-sounding "military-grade" security.
Neither of these terms means a thing. You're validated, or you're not. Period. Typically, vendors using these terms are trying to promote their use of 128-bit Advanced Encryption Standard for privacy. Since just about anyone outside the Axis of Evil can readily access 128-bit AES, I don't really see the point.
Are you marketing security products? Are you eager to use terms like "military" or "government" in your collateral? Here's a handy checklist to see if you qualify...
- Are you protecting information classified as Top Secret, Secret, or Confidential?
- Are you selling a Suite A or Suite B product?
- Are you selling a HAIPE product?
- Are you selling a product with a FIPS 140-2 validated cryptographic module?
If you can't answer "Yes" to one or more of these questions, you're not selling government-grade or military-grade security. The government won't buy your product until it's undergone some form of validation or certification, which looks at issues like key generation and management, integrity, entropy, and a whole bunch of other items--not just key length of your encryption algorithm. If you're not submitting your product through the processes required to validate compliance, you have nothing which can be legitimately marketed or sold as government-grade or military-grade.
So knock it off.
No comments:
Post a Comment