Certification: A Quality Accolade In This Chapter 4 Which certification schemes currently exist for HSMs The benefits and downsides of HSM certifications What you, as a user, must know about certifications In order to assess the quality and security level of a device for the purposes of information security, product companies can perform expert assessment and subsequent certification in accordance with defined test regulations and requirement lists. Addressing the issue of certification for HSMs is actually relatively easy. Only two globally recognized certification schemes exist: FIPS: The Federal Information Processing Standards Publications (FIPS PUBS) is from the National Institute of Standards and Technology. Common Criteria: The Common Criteria for Information Technology Security Evaluation is an international standard for the testing and evaluation of the security properties of IT products. But certification isn’t as easy as it appears, because a broad array of diverse auditing and certification schemes exists in different national industries. In the German credit business, for example, separate requirements for HSMs exist for deployment in monetary transaction networks. The payment card industry also has its own definitions for HSMs. The FIPS 140 Standard You’ll find the body of requirements, rules and regulations for HSMs in the FIPS 140-2 standard. FIPS 140-2 is governed by the Cryptographic Module Validation Programme (CMVP), a joint initiative by the U.S. and Canadian governments. CMVP is a partnership initiated by the American National Institute of Standard and Technology (NIST) and Canadian Communications Security Establishment Canada (CSEC). Within FIPS 140-2 there are four hierarchical security levels (1 – 4), as well as specific certifications (FIPS 197 and so on). On every level a higher concentra- 27
HSM_for_Dummies
To see the actual publication please follow the link above