FIPS Private Label Validations

The Bouncy Castle FIPS modules offer a nearly complete range of certified algorithms and can be used with the execution platforms of choice. The resulting FIPS certificate is tailored to include the name of the vendor and vendor product. This kind of validation is referred to as a "Rebrand" or a "Private Label Validation".

C#
C# .NET FIPS
Implementing Cryptography
Java
Java FIPS

24 February, 2024

FIPS Private Label Validations

Federal Information Protection Standards, or FIPS, is a set of standards created by the National Institute of Science and Technology (NIST) to protect government data and ensure those working with the government comply with certain safety standards.

The Bouncy Castle FIPS modules offer a nearly complete range of certified algorithms and can be used with the execution platforms of choice. The resulting FIPS certificate is tailored to include the name of the vendor and vendor product. This kind of validation is referred to as a "Rebrand" or a "Private Label Validation".

The following outlines the process of Private Label Validation and the benefits beyond saving both costs and time and how we can help you in the process.

Benefits of Private Label Validation

The NIST standardization process allows for a third party, with permission, to make use of a pre-existing certified module and avoid having to do most of the paperwork and thus endure the delays associated with a validation of a module done from scratch. While this leads to a substantial saving in both cost and time for the vendor organization doing this, there are two additional benefits:

The vendor finishes the process with algorithm certificates for the execution platforms of their choice.
The vendor finishes the process with a module certificate that lists those execution platforms and can also be tailored to include the vendor name and the name of the vendor product.

This kind of validation is referred to as Private Label Validation. While it definitely helps with marketing, having a private label validation also removes any uncertainty end users might have concerning vendor platform choice, by ensuring there is a valid algorithm certificate for the specific platforms the vendor has deployed the end-user solution on.

Validation Process Requirements

The process requires the use of a testing lab, and it requires doing platform testing to get the algorithm certificates for any additional platforms. It also requires access to a third party who has an existing certificate, the appropriate documentation, and the testing tools required to do the platform validation.

Choose a testing lab and/or a FIPS consultant to deal with the preparation, testing, and submission. The FIPS support program that comes with our support contracts will provide everything else, including the necessary tools. In addition, we are able to assist people doing rebrands in meeting documentation requirements including a rebrand approval letter as required by FIPS 140-2 Implementation Guidance Alternate Scenario 1A.

Bouncy Castle FIPS Modules Help the Process

The Bouncy Castle FIPS modules are attractive candidates for rebranding and the libraries are currently validated against FIPS 140-2 and FIPS 140-3 submissions have also been made. Using these modules in conjunction with the support program helps simplify the extensive FIPS validation process, as the support program includes full algorithm (ACVP) and operational (CMVP) testing for the modules. Drafts of some of the paperwork, such as the security policy and key management documents are also provided, which further reduce the work involved in certification.

The Bouncy Castle FIPS modules offer a nearly complete range of certified algorithms, with BC-FJA 2.0.0 (Java) and BC-FNA 1.0.2 (.NET C#) also now including algorithms like Format Preserving Encryption. There are also additional libraries we can provide which have been written to use the BCFIPS module correctly, in accordance with its security policy, which supports everything from certificate generation, time-stamping, OpenPGP, S/MIME, and TLS. Additional work has been done on the TLS API to assure that it can also be configured to conform to the NIST standard for TLS, SP 800-52, offering a FIPS-compliant TLS solution when the TLS API is used in conjunction correctly with the BC FIPS module.