I recently received an inquiry from a reporter that read like this:
My reply to this inquiry was uncharacteristically short:"Are you comforted, or left cold when you hear a product has FIPS 140-2 validation that guarantees it's implementing encryption modules correctly?"
"Assuming secure data transmission or storage is important in the use case, is this buzzword bingo or a valuable asset?"
"Today, fully validated FIPS 140-2 cryptography modules come free or bundled with your OS, your Java runtime, several application packages and some hardware components. These implementations are typically available for your own applications through well-documented APIs."
"Not using FIPS 140-2 cryptography in the year 2011 is like opening a savings account at a bank without the FDIC’s $250K-per-account guarantee. You could do it, and it might work, but why take the risk when a safer option is available for no extra charge?"
I am not the type of person who would insist that everyone use FIPS-validated algorithms for every operation.
But, if your IT department intersects with the finance, health care, government or energy sectors, or is subject to regulations such as PCI-DSS, then you should be using FIPS 140-2 validated cryptography now to protect data-in-transit and data-at-rest.
When the cost to mitigate risk is zero, why not?
