![[x]](/images/sigil_md.jpg)
Blackmoor VituperativeOpenSSL gets NIST certifications
Wow. It looks like the Feds are slowly — oh, soooo slowly — creeping into the late 20th century:
Agencies setting up sensitive virtual private networks now have an open-source alternative.
The National Institute of Standards and Technology has certified OpenSSL, an open-source library of encryption algorithms, as meeting Federal Information Processing Standard 140-2 Level 1 standards, according to the Open Source Software Institute of Hattiesburg, Miss.
“This validation will save us hundreds of thousands of dollars,†said Debora Bonner, operations director for the Defense Department’s Defense Medical Logistics Standard Support program, in a statement. “Multiple commercial and government entities, including [the Defense Department’s] Medical Health System, have been counting on this validation to avoid massive software licensing expenditures.â€
Federal agencies must use FIPS-compliant products to secure networks carrying unclassified sensitive data. The FIPS certification of OpenSSL opens the possibility of using an SSL-based VPN to carry sensitive data, according to Peter Sargent, who heads the Severna Park, Md.-based PreVal Specialist Inc., one of the companies that supported the validation process.
Traditionally, agencies wishing to set up a VPN for sensitive data would use an approach that involved a secret key implementation of a cryptographic module, which is more expensive to implement and has limited the number of smaller companies that can provide such a product, Sargent said.
(from Government Computer News, OpenSSL gets NIST certifications)
This is great news for Federal agencies. And you would think that switching to OpenSSL would be a no-brainer, right? After all, out here in the real world, we’ve been relying on it for years. However, there is nothing so simple and easy that the Feds can’t find a way to screw it up:
Sargent added that few agencies would directly deploy OpenSSL FIPS. Rather, they would purchase OpenSSL-based VPN products from vendors.
“Yes, yes: I know we could get sunlight for free. But we’d rather pay for it. This tax money isn’t going to spend itself, you know.”
