LAN_PRINT_135: GSA Awards Large Contracts for 10 Encryption Products
(LAN_PRINT_86 IT Management)
LAN_PRINT_94 NIST.org
Wednesday 20 June 2007 - 22:52:35

The Government Services Administration (GSA) has awarded 10 “blanket purchase agreements” for products designed to encrypt “data at rest”. All 10 products use NIST.gov FIPS 140-2 validated encryption modules. You will be hearing much more about these products in the coming months.

The U.S. Government mandated the use FIPS 140-2 data encryption under OMB memorandum M-06-16 back in June of 2006. Agencies have been very slow in adopting a particular product due to cost, complexity, and fear of obsolescence. If they spent millions on a product and implementation only to have the company go out of business they would be stuck with a big albatross and a lot of work to undo and redo everything. Part of the selection process takes in to account reliability of a company and past contract performance. But not all products listed have the same level of management features which is very important with a product such as this.

The announcement by GSA on June 18th is mostly a purchasing vehicle but it could go a long way in jump starting the Government's acceptance of encrypting Data at Rest (DAR). The following companies / products are what will be offered under the GSA's SMARTBuy program.

• Mobile Armor’s Data Armor
  
• Safeboot’s Safeboot Device Encryption
  
• Information Security’s Secret Agent
  
• SafeNet’s SafeNet ProtectDrive
  
• Encryption Solutions’ SkyLOCK At-Rest
  
• Spyrus’ Talisman/DS Data Security Suite WinMagic’s SecureDoc
  
• Credant Technologies’ Credant Mobile Guardian
  
• GuardianEdge Technologies’ GuardianEdge

If you are not a U.S. Government agency you may want to consider a free open source product such as TrueCrypt. It uses the same AES 256 bit encryption but its implementation hasn't gone through the government testing to make sure it was implemented securely. That validation process costs money. Such products are great for a limited number of computers but lack some of the management type features that an enterprise needs. An example would be key escrow which is a manual process in TrueCrypt but is automated in some of the products listed above (using your existing PKI and directory infrastructure).

{BLOGME}
{GOOGLESBOX=encryption}
{AMAZONPROD=0764541889}

---

LAN_PRINT_303NIST IT Security
( http://www.nist.org/comment.php?comment.news.240 )