Are FIPS and other NIST InfoSec standards and criteria accepted commercially?

pts.
Tags:
CIO
Compliance
Financial services applications
Laws
Regulations
Security
Security management
Security products
standards
Vendors
I know that information security decision makers and policy makers within the Federal government rely heavily on standards such as FIPS certification from the National Institute of Standards and Technology (NIST). How much weight is there placed on a product or service that has met certification requirements from NIST in non-government verticals? For example, would a bank, healthcare company, or manufacturing company choose a FIPS-certified VPN or Firewall over a comparable VPN or firewall product that has not been certified? Thanks in advance for your feedback and comments.

Answer Wiki

Thanks. We'll let you know when a new response is added.

I come from the Financial Services industry. I can’t speak for all financial services companies, but I can share how my company would look at it.

We are very much market driven. If a market segment or an important client needed their financial services provider to be FIPS-compliant, we would very likely choose the FIPS-certified product over the non-certified product.

Otherwise the decision may be based upon
– the company’s political climate
– the company’s risk tolerance
– what information is being protected (i.e., all customer data vs. limited subset of public information)
– the cost comparison
– the vendors’ customer responsiveness and support
– the internal business line’s willingness to absorb any extra costs

I have not (yet) experienced any pressure from regulatory agencies to favor the FIPS-compliant products or services. Our independent auditing firm that qualifies financial statements under Sarbanes-Oxley has not applied any similar pressure.

In summary, for my company the answer is not an automatic ‘yes’ unless it would be vital for customer service.

I hope this helps you.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Wickedstick
    FIPS is a standards and guidlines developed mainly for Federal use. That doesn't mean others can't use it or base their decisions the same way (cheap way to come up with your standards - they're already written) but many may not apply to civilian environments. I'm going to base my purchasing decisions on other factors and could really care less if it is FIPS compliant.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following