BlackBerry has more third-party security certifications and more government mobile device management experience than any provider of mobile solutions.
BlackBerry® solutions have enabled secure government mobility for over a decade. An important component of this effort has been to continuously invest the time and resources required to achieve and maintain FIPS 140-2 certification.
Today we’re excited to share the news of FIPS 140-2 certification for the upcoming BlackBerry® 10 platform. The certification will enable government agencies to deploy BlackBerry 10 smartphones and BlackBerry® Enterprise Service 10, RIM’s new mobile enterprise management solution, from the day of launch.
What is FIPS 140-2?
FIPS, or “Federal Information Processing Standard” 140-2 is an industry standard developed jointly by the U.S. and Canadian Governments to provide a common certification for the security of encryption modules in technology products. In this blog post, I’ll provide a general overview of FIPS 140-2 and demonstrate how FIPS 140-2 certification of encryption modules used in BlackBerry products is an important piece of the security and certification puzzle.
Two programs govern certification for FIPS 140-2: Cryptographic Module Validation Program (CMVP), and the Cryptographic Algorithms Validation Program (CAVP). These programs can evaluate software, hardware, and firmware – or any combination of the three. With the passage of the Federal Information Security Management Act (FISMA) of 2002, all U.S. federal organizations must use FIPS 140-2 certified encryption modules in their technology. Beyond federal organizations, FIPS 140-2 is often seen as a requirement for broader government and law enforcement use, and also provides peace of mind for enterprise customers.
“Achieving FIPS 140-2 certification means that BlackBerry 10 is ready to meet the strict security requirements of government agencies and enterprises at launch. What differentiates BlackBerry is that it is the only mobile solution that integrates end-to-end security, and includes certified encryption algorithms for data at rest and data in transit. No other mobile solution can claim this level of security today or in the near future.”
– Michael K. Brown, RIM Vice President of Security Product Management and Research
FIPS 140-2 ensures and verifies that encryption within a module is implemented correctly. Vendors can choose to register a particular module or multiple modules within the product for FIPS 140-2 certification. For BlackBerry smartphones running the BlackBerry operating system (OS) up to and including version 7.1, we have achieved FIPS certification for the BlackBerry Cryptographic Kernel module that resides in the OS. The BlackBerry 10 platform (as well as the current BlackBerry® PlayBook™ tablet) makes use of the FIPS-certified BlackBerry OS Cryptographic Library module. All of the encryption algorithms used in BlackBerry 10 meet CAVP requirements.
You might have noticed that we’ve so far discussed encryption within (often specific) modules and not an entire device or platform. In order to validate the security of the entire BlackBerry 10 platform, we augment our security assurance by performing other tests and gaining additional certifications. Many evaluation bodies, like Common Criteria (ISO 15408), use FIPS 140-2 certified encryption modules as a foundation for a broader product evaluation.
The uniquely secure BlackBerry Cryptographic Library
At RIM, we not only incorporate FIPS 140-2 certified modules into all of our smartphones and tablets, but have also obtained FIPS 140-2 certification for the central BlackBerry Cryptographic Library. The BlackBerry Cryptographic Library is a pre-built DLL (Dynamic-Link Library), which offers cryptographic services for a variety of BlackBerry products including BlackBerry® Desktop Software, BlackBerry® Enterprise Server, BlackBerry® Mobile Fusion, and BlackBerry® Enterprise Service 10. These products are used along with the BlackBerry devices to connect to resources on the enterprise network. Using a model like this allows us to provide a secure end-to-end mobility solution, from the device straight to the enterprise network.
Why does FIPS 140-2 certification matter?
Enterprises today are demanding more from their mobility solutions, including providing workers with access to sensitive enterprise data, behind-the-firewall mobile applications, and a variety of services accessed directly from a smartphone or tablet. With this increased level of access comes an increased level of risk. Our FIPS 140-2 certifications, in conjunction with the multitude of other security accreditations, provide IT managers with assurance that the risks surrounding data at rest and data in transit can be adequately managed using BlackBerry products. RIM introduced the first smartphone with a FIPS approved module to the mobile market, and since its inception, no other mobile solution has been awarded the same level and quantity of security accreditations granted to BlackBerry products.
As you can see, FIPS 140-2 provides security-conscious organizations with the peace of mind to continue forward with mobility and to realize the benefits of mobile solutions without having to worry about compromising the security of communications. FIPS 140-2 is an important certification for the BlackBerry solution, but it is only one piece of our certification portfolio. We have more third-party security certifications and more government mobile device management experience than any provider of mobile solutions. This is why the BlackBerry solution is considered the gold standard in the enterprise, small business, and government.
(As of February 2015, BlackBerry holds 70+ security certifications and approvals from governments.)
Security beyond mobile devices
While it’s important that mobile devices in your work environment are certified as secure against wider standards, device certification is only one piece of the security puzzle for an organization. The solution used to manage these mobile devices and the communication, transfer of data, and access controls also need to be verified as secure. This is why we’re developing the upcoming BlackBerry Enterprise Service 10 as the next-generation secure enterprise mobility management platform. The BlackBerry Cryptographic Library and the BlackBerry Cryptographic Java Modules that are used in BlackBerry Enterprise Service 10 have also achieved FIPS 140-2 certification. We firmly believe that BlackBerry Enterprise Service 10 and the BlackBerry 10 platform represent the most secure and functionally holistic mobile solution for enterprise and government.
For more information about the security of corporate data on BlackBerry 10 devices, check out our article on BlackBerry® Balance™.
Does your business use BlackBerry solutions out of concern for security in mobility? Share in the comments below.