OT:Defense kicks off open-source encryption program
By Jana Cranmer, GCN Staff
The Defense Department has launched a new program to encourage the use of open- source encryption software within DOD systems.
The Open Source Software Institute of Hattiesburg, Miss., will support the OpenCrypto Management Program, which is part of DOD’s Open Technology Development road map initiative. The goal of that program is to provide DOD with greater system development and acquisition flexibility through collaborative software development.
The OpenCrypto Management Program is a continuation and expansion of an earlier OSSI effort to certify the OpenSSL open- source encryption module under Federal Information Processing Standards 140-2, said OSSI Executive Director executive director John Weathersby.
“Interests within the DOD were pleased with the results of the initial OpenSSL validation program and have identified extensions to that work for greater availability of FIPS 140-2 validated open- source software for use within DOD IT systems,” Weathersby said.
In OSSI's earlier work, the source code for OpenSSL was certified. Now the team will validate a binary model of the OpenSSL. The team will then update the version for additional validations every six to eight months to address vendor concerns with the initial open- source- based validation.
“Prospective end users can use the specific binaries that were validated, if they happen to be suitable as-is. If not, OSSI will — in collaboration with the OpenSSL team — build a binary for the desired platform, where technically possible,” said OSSI technical project manager Steve Marquess. “Under a CMVP process known as ‘vendor affirmation’ ['vendor affirmation' (known as CMVP Implementation Guidance, section G.5],) that binary as delivered to the end user will satisfy the requirements for a FIPS 140-2 validated module.”
For non-U.S. DOD end users, there will be a one-time charge calculated on a cost-recovery basis, Marquess said.
AI
