Recently, HBO’s hit series Silicon Valley made reference to the once-esoteric FIPS 140-2 validation process for encryption. In the show, the massive Hooli juggernaut is pulling out all the stops to stake claim to market share and elbow out Pied Piper, the brainchild of protagonist Richard Hendricks. Amidst the inside jokes from the Bay Area and the Easter eggs for techies and entrepreneurs, Silicon Valley does a fantastic job illustrating the dynamics between incumbent vendors and disruptive startups in real life. While it is certainly fictionalized (although who doesn’t recognize an Erlich Bachman in their life), HBO’s portrayal of the stark contrast in resources is on point. Pied Piper is a skeleton crew, while Hooli has budget and personnel to spare. So in that context, what is FIPS 140-2 and why did HBO feature it in their script?
FIPS 140-2 is a benchmark for encryption modules, established by the United States National Institute of Standards and Technology (NIST). The “-2” suffix represents the revision of the standard. We expect to see FIPS 140-3 in the future, although the current version has already lasted far longer than expected. While FIPS 140-1 was replaced after seven years, FIPS 140-2 has passed 16 years in effect and is still going strong. NIST and their Canadian counterpart, CSE, jointly govern and administer the validation process for FIPS 140-2, in which licensed testing laboratories put encryption modules through their paces and submit official reports for certification. This certificate authorizes federal agencies and other regulated industry buyers (utilities, healthcare, finance, etc.) to acquire the solution that leverages the validated encryption.
SafeLogic’s CEO, Ray Potter, summed it up well in an editorial at AFCEA’s Signal Magazine.
For years, NIST’s Federal Information Processing Standards (FIPS) 140-2 validation list read like a Who’s Who of Fortune 100 technology vendors. Only those products that leverage cryptographic modules shown on the list were eligible for federal agency deployment. Until recent changes, only the deepest pockets could absorb the costs of development, testing and expensive consultants to facilitate introducing solutions into the federal marketplace.
Soft costs for FIPS 140-2 validation efforts added up as well, with significant hours required from engineering teams. The result? A huge barrier to entry, effectively blocking any technology company outside of the elite (or rich) from participating in the lucrative federal cybersecurity market. It built a phenomenal feedback loop for those big enough to enjoy it. It was fantastic for the vendors on the inside, but terrible for agencies severely limited in their available options for deployment.
Things were great for years, as long as you were one of the incumbents. Hooli represents that ‘Old Boys Club’ of legacy tech vendors, content to use these exclusion tactics to limit the number of competitors in the public sector and to win customers with their breadth of offerings, rather than by being outstanding in any one particular space. So it’s entirely in character for Hooli’s evil CEO to unveil their FIPS validation in a stage presentation worthy of Steve Jobs.
Of course, as time passed, federal procurement officers realized that a 12-18 month validation process for FIPS 140-2 directly impacted their available options. Every solution was at least 12-18 months out of date! Using older products is frustrating, especially when you’re watching the private sector leap ahead, but it’s also potentially more vulnerable. Because the technology has been available for so long, it has had more exposure to research from both white and black hats.
These were core inspirations for SafeLogic’s inception. Accelerated validation timelines means that innovations can be introduced quickly, while more affordable total costs of validation produces more variety in the approved vendor list.
Federal agencies are enjoying that variety now, selecting and deploying solutions from vendors in cutting edge fields – precisely the kind of disruption the fictional Pied Piper team intends to make.
2017 is a time when federal cybersecurity is under a microscope like never before. The awareness of FIPS 140-2 and other programs, like FedRAMP for example, have grown exponentially as a result, and the reference on Silicon Valley demonstrates how far it has come. Will we see Pied Piper and Hooli jockeying for a three-letter agency contract in a future episode? Time will tell.