Validated and Compliance Versus Certified and Approved
As a technical professional, it is always very ignoring to see honesty been bridge using marketing words. How many times have you seen creative words been used to justify for something which is not true? Or when they claim they are and they are not?
That comes to the topic in my subject. Have you come across products stating that they are validated and compliance instead of Certified and Approved? And you have to explain the meaning behind this.
There is a lot of confusion created due to the use of words and to clarify this, we will use an example with sources you can testify what is really Certified and Approved instead of following Validated guidelines or Compliance to follow certain requirements.
Let's use VMware products as a discussion. You can find out that VMware vSphere, NSX and vSAN is an Approved DISA STIG solution. If you head over to STIG Viewer, you can see the guidelines given to all the approved solution. You find VMware vCenter, NSX, and ESXi as an approved list. VMware vSAN is part of VMware ESXi, in such, it is also updated and stated in the STIG which you can read more from the public post which links to the STIG guideline.
To be part of a solution used in DoD, it has to have DISA STIG approval. However by just following a guideline from DISA STIG only get a solution compliance and not approved. An approved solution needs to be done only by the governance body.
Do not get this confused. Anyone can be in compliance by following a guideline but it does not equal to be approved.
Next, let's talk about Compliance. Let's take FIPS140-2 which is govern by NIST. To know if a solution vendor is certified by NIST for FIPS on their Crypto Module, you can head over to here and search the vendor is listed. When a solution or product claims it is compliance/validated on FIPS, this does not equate to be certified as many thought. The word "Validated" is been misused many a time. To find out the truth, use the search in NIST and key in the Vendor name to be sure.
If you enter VMware, you will see that VMware Cryptography Module is listed this is because vSphere is FIPS certified and uses this module. You can also try other solution such as Redhat, Oracle, Citrix, Nutanix, Microsoft and you will find different results.
Note that FIPS140-2 has also two levels. Where level 1 is applicable only for software and level 2 is applicable only for hardware.
Be very careful when you need a FIPS solution and its claimed to be Validated and not really Validated or even Certified. What do you need as a compliance in your environment stated by your security policy, Is it Validated enough or Certified? Make sure you are certain of it.
That comes to the topic in my subject. Have you come across products stating that they are validated and compliance instead of Certified and Approved? And you have to explain the meaning behind this.
There is a lot of confusion created due to the use of words and to clarify this, we will use an example with sources you can testify what is really Certified and Approved instead of following Validated guidelines or Compliance to follow certain requirements.
Let's use VMware products as a discussion. You can find out that VMware vSphere, NSX and vSAN is an Approved DISA STIG solution. If you head over to STIG Viewer, you can see the guidelines given to all the approved solution. You find VMware vCenter, NSX, and ESXi as an approved list. VMware vSAN is part of VMware ESXi, in such, it is also updated and stated in the STIG which you can read more from the public post which links to the STIG guideline.
To be part of a solution used in DoD, it has to have DISA STIG approval. However by just following a guideline from DISA STIG only get a solution compliance and not approved. An approved solution needs to be done only by the governance body.
So Compliance is NOT equal to Approved.
Do not get this confused. Anyone can be in compliance by following a guideline but it does not equal to be approved.
Next, let's talk about Compliance. Let's take FIPS140-2 which is govern by NIST. To know if a solution vendor is certified by NIST for FIPS on their Crypto Module, you can head over to here and search the vendor is listed. When a solution or product claims it is compliance/validated on FIPS, this does not equate to be certified as many thought. The word "Validated" is been misused many a time. To find out the truth, use the search in NIST and key in the Vendor name to be sure.
If you enter VMware, you will see that VMware Cryptography Module is listed this is because vSphere is FIPS certified and uses this module. You can also try other solution such as Redhat, Oracle, Citrix, Nutanix, Microsoft and you will find different results.
Note that FIPS140-2 has also two levels. Where level 1 is applicable only for software and level 2 is applicable only for hardware.
Validated is NOT Certified.
Be very careful when you need a FIPS solution and its claimed to be Validated and not really Validated or even Certified. What do you need as a compliance in your environment stated by your security policy, Is it Validated enough or Certified? Make sure you are certain of it.
Comments