DIGISTOR Storage Certifications and Validations
The Certifications You Need
Many of our customers require their secure data at rest (DAR) storage solutions to be built from CSfC-listed components. Others develop their solutions from Common Criteria/NIAP-listed or FIPS-certified SSDs. TCG Opal compliance suffices for other secure storage solutions.
Regardless, DIGISTOR has a variety of products to meet the certification level your solution requires.
Commercial Solutions for Classified (CSfC)
The Commercial Solutions for Classified (CSfC) program was established to enable U.S. government agencies and their customers to take advantage of affordable and readily available commercial off-the-shelf (COTS) IT solutions that meet the highest security standards.
When a DIGISTOR solution has been “CSfC-listed,” it means the solution has been evaluated for Hardware Full Disk Encryption and approved by the NSA as meeting the security requirements for protecting classified information using commercial technologies.
With CSfC-listed products, agencies no longer rely solely on expensive and customized government equipment. The CSfC program has become increasingly important as government agencies seek more cost-effective solutions while meeting the NSA’s stringent security guidelines for the transmission of classified data. For more information, see our blog post on CSfC.
NIAP Common Criteria
Common Criteria (CC) is more formally known as the Common Criteria for Information Technology Security Evaluation, an international standard (ISO/IEC 15408) for computer and IT product security certification.
When a product is “NIAP-listed,” it means that the product has successfully undergone the Common Criteria evaluation process through the NIAP program. The product has been deemed to meet the security requirements outlined in the relevant protection profile, and it has received recognition from the NIAP as being suitable for use in national security systems.
Common Criteria validation and NIAP listing provides a level of assurance to customers and organizations that the products have undergone thorough security evaluations and testing recognized globally. This can be particularly important when dealing with sensitive or classified information where the security of the systems and products is paramount. Learn more about Common Criteria on our blog.
The Cryptographic Module Validation Program (CMVP) is a program run by the National Institute of Standards and Technology (NIST) in the United States. It focuses on validating cryptographic security and capabilities for protecting sensitive information and communications.
The CMVP evaluates cryptographic modules against the requirements outlined in the Federal Information Processing Standards (FIPS) Publication specifies the security requirements that cryptographic modules must meet to be considered secure for use in government and regulated industries.
The validation process involves thorough testing, documentation review, and assessment of security functions to ensure they meet the specified standards. If a module successfully passes the validation process, it receives a FIPS certification, which assures users that the module has been independently evaluated and meets established security criteria. See more about FIPS on our blog.
TCG Opal 2.0
Developed by the Trusted Computing Group (TCG), an international organization whose members work together to formulate industry standards, the Opal Storage Specification is a set of security specifications used for applying hardware-based encryption to storage devices.
The Opal Storage Specification is crucial to ensuring the security and confidentiality of data, especially in the context of storage devices like disk drives. The emphasis on encryption as a protection mechanism aligns with the broader goal of trusted computing to establish a secure and predictable computing environment.
By enforcing encryption for stored data, TCG Opal 2.0 addresses the potential risks associated with the loss, theft, or seizure of drives. This aligns with the concept of “trust” in computing, where users can rely on a device, product, or software to behave in a predefined and secure manner for a specific purpose.