Cryptographic and Security Testing Lab

Overview

The Leidos Cryptographic and Security Testing Laboratory (CSTL) offers a variety of services to assist your organization’s cryptographic and security requirements including:

• FIPS 140 – Federal Information Processing Standard 140
• CAVP – Cryptographic Algorithm Validation Program
• ESV – Entropy Source Validation
• SCAP – Security Content Automation Protocol Compliance Testing

Leidos CSTL has been an industry leader in the cryptographic and security testing field for over 25 years, having completed among the most FIPS 140 certifications in the world and supporting hundreds of different product vendors along the way.

With this extensive expertise and a profound grasp of clients’ needs and priorities, Leidos is positioned to be your trusted source for comprehensive testing and certification solutions.

At Leidos, our top priority is delivering services that precisely align with your unique requirements. This ensures that you acquire only what is truly essential for your business goals. This proven approach not only trims costs and timelines but also forms the bedrock of a lasting partnership.

Our Capabilities

The Leidos CSTL provides a full range of certification and consulting services across multiple disciplines, including:

FIPS 140

• FIPS 140-3 Validation: Leidos CSTL will take your product through the FIPS 140-3 full validation process, from initial design review to certificate issuance.
• FIPS 140-2/3 Certificate Maintenance/Follow-Up: If your validated product requires code updates such as bug fixes, feature enhancements, hardware changes, etc., Leidos CSTL can guide you through the proper revalidation scenario to ensure your certification remains valid.
• Product Gap Analysis: Initial FIPS 140 readiness assessment to identify potential gaps in the product. Upon completion, Leidos provides a formal report.
• Documentation Consulting: Turnkey consulting service to help advise or develop all FIPS 140 specific documentation needed for a successful FIPS 140 Validation.
• “FIPS Inside” Module Compliance Review: A product sometimes embeds a FIPS 140 validated Cryptographic Module within (i.e., “FIPS Inside”), but fails to use the module in a correct and secure fashion. Leidos can review the module integration and advise issues and/or non-compliance.

CAVP

• Cryptographic Algorithm Testing: Conduct algorithm testing for submission to the Cryptographic Algorithm Validation Program (CAVP). CAVP is sometimes a prerequisite for FIPS 140 validations and CC PP Evaluations.
• Test Harness Development: A test harness is oftentimes needed to act as an interface between the CAVP tests and the product undertest. Leidos will develop a test harness to enable CAVP testing of your cryptographic algorithms.

Entropy

• Entropy Source Validation: Leidos CSTL will review your Entropy assessment Report and Public Use Document to obtain an ESV certificate for your entropy source. ESV is sometimes a prerequisite for FIPS 140 validations.
• Documentation Consulting: Consulting service to help advise or develop all documentation necessary in support of obtaining ESV certification

SCAP

• SCAP Compliance Testing: Leidos CSTL can perform SCAP Compliance Testing against the most recent version of the standard. SCAP tests the ability of authenticated configuration scanners designed to detect vulnerabilities and misconfigurations with patches or policy settings. Leidos CSTL is accredited through the National Voluntary Lab Accreditation Program (NVLAP code 200427-0) to perform SCAP Compliance Testing.

Don’t see what you’re looking for? Contact us through the form below with your specific needs and we can discuss how we can provide the needed assistance to help meet your objectives.

Applicability

FIPS 140 plays a crucial role in ensuring the security of cryptographic modules used in government and public sector acquisitions, including those by the Department of Defense (DoD) and the National Security Sector (NSS). Commercial product vendors must certify their cryptographic modules, which can be software, hardware, or firmware, along with their cryptographic algorithms and entropy sources, before selling and deploying them in these environments.

The scope of FIPS 140 requirements also includes U.S. Federal Contractors, as outlined in DFAR 252.204-7012. This regulation mandates that defense contractors comply with the security controls in NIST SP 800-171 r1 for non-federal networks that may store or process Controlled Unclassified Information (CUI).

NIST SP 800-171 r1 specifically requires the use of FIPS-validated cryptography to protect the confidentiality of CUI. In simpler terms, commercial vendors must achieve FIPS 140 validation for their crypto modules to meet the requirements of their commercial federal contractors DFARs, in addition to complying with Department of Defense acquisition standards.

This standard applies to all Federal agencies that utilize cryptographic based security systems to safeguard sensitive information in computer and telecommunication systems, including voice systems, as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. It is required for designing and implementing cryptographic modules operated by Federal departments and agencies or on their behalf under contract.

Proven Success

With a legacy spanning more than two decades of demonstrated IT industry success, Leidos Accreditation Testing & Evaluation (AT&E) teams continue to reinforce our significant contributions as a frontrunner. We take immense pride in leading the industry not only in terms of volume but also in nurturing long-term partnerships, all while showcasing our widely recognized expertise. Our AT&E lab stands as a testament to our unwavering commitment to excellence, with a history of effectively certifying over 1,500 IT products across several diverse IT fields.