Scroll to Main content, Navigation
Note:Read why this site appears to be in plain text.
By Lisa Bowman
As more and more data travels over wireless networks to and from devices that grow smarter every day, the federal government in particular is becoming increasingly concerned about the security of that information.
These days, when people lose their mobile phones, they leave behind not only the devices but possibly trails of private phone numbers, notes, and calendar appointments that anyone could access if they're not secured. Even if the device isn't misplaced, the information could still be compromised if the data transmitted over the network is intercepted.
Unlike a personal cell phone, a device carried by, say, a federal law enforcement officer or a Department of Defense official could contain sensitive information that could have disastrous effects if it falls into the wrong hands.
As a result, the federal government requires all IT products sold to its departments and agencies to meet strict security standards including those for encryption known as FIPS 140-2.
FIPS 140-2 (or Federal Information Processing Standards Publication 140-2) specifies how software and hardware that encrypts and decrypts sensitive but unclassified data should be designed and implemented. The hard-to-crack encryption standard provides for four increasingly stringent levels of security, based on how users are authenticated and how products respond to tampering, among other things.
The FIPS 140-2 is the third rendition of the FIPS 140 standard, which is reviewed every five years. Its predecessors are FIPS 140 and FIPS 140-1, which went into effect in July 1997. Beginning in July 2002, all technical products sold to the government were required to meet FIPS 140-2 validation specifications.
The FIPS 140-2 validation process is rigorous. In order to obtain validation, a company must submit its product and accompanying documentation (including source code and a security policy) to a government-sanctioned laboratory for testing. The laboratory then conducts tests to make sure encryption methods are up to par and issues a report to the National Institute of Standards and Technology, or NIST, which supplies the official certificate that the product's encryption has been FIPS 140-2 validated.
Sprint has taken a leading role in ensuring data security for its government customers, whether the information is "at rest" on a mobile device, or traveling over a wireless or wired network. With its partners, Sprint offers a complete line of solutions that meet FIPS 140-2 validation specifications, from the device up to the data center.
"We come to the table with offerings where we have thought ahead about the security implication and requirement," says Darlene Hines, senior solutions specialist for mobile computing in the Government Systems Division at Sprint. "We're going to bring them a solution that is further along. We don't just bring them the line and the dial tone, we bring them a protected dial tone and end-user mobile device."
The Sprint suite of FIPS 140-2-validated solutions has been a key reason why some customers have chosen to go with Sprint, says Hines.
For example, Sprint partnered with IBM to provide FIPS 140-2-compliant products and services to Hill Air Force Base in Ogden, Utah. They're using a wireless network and mobile devices for their aircraft maintenance operations.
In announcing the deployment, Myron Anderson, retired provisional IT director of Hill Air Force base, said his team evaluated several products and chose Sprint in part because of the security they offered. "Our requirements for high-grade security, device independence, and flexibility were highly demanding," Anderson said in a statement. He also predicted the choice would save the Air Force millions of dollars annually.
Other Sprint partners that have gained FIPS 140-2 certification for their products include Credant Technologies, which provides software for mobile security across all Sprint PCS network devices , and Good Technology, which recently announced that its GoodLink wireless data access system has been validated for use with palmOne™'s Treo™ 600 smartphone, which runs on the Sprint PCS network. NIST keeps a list of FIPS 140-2-validated products, as well as a list of those in the evaluation process, on its Web site at http://csrc.nist.gov/cryptval.
It can take from 6 to 18 months and cost upwards of $100,000 to have a product validated. However, failing to obtain validation could lock a company not only out of the government market but also out of other sectors as well.
Hines said companies in the financial and healthcare markets keep a close eye on the government's security guidelines and tend to follow its example.
"The federal government is taking the lead in putting policies and standards in place that really translate across other commercial entities, like finance, insurance, and healthcare," she said.
In essence, companies receiving FIPS 140-2 validation bear a third-party seal of approval for security that their competitors do not.
Regulatory, Tariffs, Rates and Terms