BlackBerry® solutions have enabled secure government mobility for over a decade. An important component of this effort has been to continuously invest the time and resources required to achieve and maintain FIPS 140-2 certification.

Today we’re excited to share the news of FIPS 140-2 certification for the upcoming BlackBerry® 10 platform. The certification will enable government agencies to deploy BlackBerry 10 smartphones and BlackBerry® Enterprise Service 10, RIM’s new mobile enterprise management solution, from the day of launch.

What is FIPS 140-2?

FIPS, or “Federal Information Processing Standard” 140-2 is an industry standard developed jointly by the U.S. and Canadian Governments to provide a common certification for the security of encryption modules in technology products. In this blog post, I’ll provide a general overview of FIPS 140-2 and demonstrate how FIPS 140-2 certification of encryption modules used in BlackBerry products is an important piece of the security and certification puzzle.

Two programs govern certification for FIPS 140-2: Cryptographic Module Validation Program (CMVP), and the Cryptographic Algorithms Validation Program (CAVP). These programs can evaluate software, hardware, and firmware – or any combination of the three. With the passage of the Federal Information Security Management Act (FISMA) of 2002, all U.S. federal organizations must use FIPS 140-2 certified encryption modules in their technology. Beyond federal organizations, FIPS 140-2 is often seen as a requirement for broader government and law enforcement use, and also provides peace of mind for enterprise customers.

“Achieving FIPS 140-2 certification means that BlackBerry 10 is ready to meet the strict security requirements of government agencies and enterprises at launch. What differentiates BlackBerry is that it is the only mobile solution that integrates end-to-end security, and includes certified encryption algorithms for data at rest and data in transit. No other mobile solution can claim this level of security today or in the near future.”
- Michael K. Brown, RIM Vice President of Security Product Management and Research

FIPS 140-2 ensures and verifies that encryption within a module is implemented correctly. Vendors can choose to register a particular module or multiple modules within the product for FIPS 140-2 certification. For BlackBerry smartphones running the BlackBerry operating system (OS) up to and including version 7.1, we have achieved FIPS certification for the BlackBerry Cryptographic Kernel module that resides in the OS. The BlackBerry 10 platform (as well as the current BlackBerry® PlayBook™ tablet) makes use of the FIPS-certified BlackBerry OS Cryptographic Library module. All of the encryption algorithms used in BlackBerry 10 meet CAVP requirements.

You might have noticed that we’ve so far discussed encryption within (often specific) modules and not an entire device or platform. In order to validate the security of the entire BlackBerry 10 platform, we augment our security assurance by performing other tests and gaining additional certifications. Many evaluation bodies, like Common Criteria (ISO 15408), use FIPS 140-2 certified encryption modules as a foundation for a broader product evaluation.

The uniquely secure BlackBerry Cryptographic Library

At RIM, we not only incorporate FIPS 140-2 certified modules into all of our smartphones and tablets, but have also obtained FIPS 140-2 certification for the central BlackBerry Cryptographic Library. The BlackBerry Cryptographic Library is a pre-built DLL (Dynamic-Link Library), which offers cryptographic services for a variety of BlackBerry products including BlackBerry® Desktop Software, BlackBerry® Enterprise Server, BlackBerry® Mobile Fusion, and BlackBerry® Enterprise Service 10. These products are used along with the BlackBerry devices to connect to resources on the enterprise network. Using a model like this allows us to provide a secure end-to-end mobility solution, from the device straight to the enterprise network.

Why does FIPS 140-2 certification matter?

Enterprises today are demanding more from their mobility solutions, including providing workers with access to sensitive enterprise data, behind-the-firewall mobile applications, and a variety of services accessed directly from a smartphone or tablet. With this increased level of access comes an increased level of risk. Our FIPS 140-2 certifications, in conjunction with the multitude of other security accreditations, provide IT managers with assurance that the risks surrounding data at rest and data in transit can be adequately managed using BlackBerry products. RIM introduced the first smartphone with a FIPS approved module to the mobile market, and since its inception, no other mobile solution has been awarded the same level and quantity of security accreditations granted to BlackBerry products.

As you can see, FIPS 140-2 provides security-conscious organizations with the peace of mind to continue forward with mobility and to realize the benefits of mobile solutions without having to worry about compromising the security of communications. FIPS 140-2 is an important certification for the BlackBerry solution, but it is only one piece of our certification portfolio. We have more third-party security certifications and more government mobile device management experience than any provider of mobile solutions. This is why the BlackBerry solution is considered the gold standard in the enterprise, small business, and government.

Security beyond mobile devices

While it’s important that mobile devices in your work environment are certified as secure against wider standards, device certification is only one piece of the security puzzle for an organization. The solution used to manage these mobile devices and the communication, transfer of data, and access controls also need to be verified as secure. This is why we’re developing the upcoming BlackBerry Enterprise Service 10 as the next-generation secure enterprise mobility management platform. The BlackBerry Cryptographic Library and the BlackBerry Cryptographic Java Modules that are used in BlackBerry Enterprise Service 10 have also achieved FIPS 140-2 certification. We firmly believe that BlackBerry Enterprise Service 10 and the BlackBerry 10 platform represent the most secure and functionally holistic mobile solution for enterprise and government.

For more information about the security of corporate data on BlackBerry 10 devices, check out our article on BlackBerry® Balance™.

Does your business use BlackBerry solutions out of concern for security in mobility? Share in the comments below.

It’s well known that BlackBerry® smartphones are some of the most approved and accredited devices in the market — and you may have seen news reports and social content about BlackBerry smartphones earning approvals from various governments and international certification bodies. I work as part of the BlackBerry Security Certifications team, and in this blog post I’ll provide some insights into the team that is responsible for achieving these security approvals and certifications.

The Security Certifications team is a global group with multiple presences in North America, Europe and Asia-Pacific regions. With varied personal interests, our team members are even more diverse than our geographical locations. Having such a varied team allows us to leverage our unique strengths and draw from each others varied knowledge, interactions, and experiences. This helps us to stay current in the security and information assurance industries. Talk to us about an intriguing piece of technology and we will likely be able to tell you what security certifications apply to it!

So, what exactly do we do? We facilitate communication between technology-approving organizations and the BlackBerry product teams — and of course, we work on earning new product approvals and accreditations! For us, security is a way of life and not just an item on the checklist. I look forward to describing these certifications in detail over the coming months, but here is an overview of some of what we have achieved to date (a more detailed list can be found here):

• CESG Approval – CESG Approval allows private sector company products to be used by the United Kingdom government and other organizations, when correctly configured.
• Common Criteria Evaluation Scheme – Common Criteria (ISO 15408) is a multinational security certification program that is recognized in 26 countries world wide.
• Government Approvals – Various BlackBerry products have been independently evaluated and verified for in-country specific needs by NATO, as well as the governments of New Zealand, Australia, Canada, the United States, Austria, Turkey, and others.
• Near Field Communication (NFC) Certifications – Some of the latest BlackBerry devices are the first mobile devices to achieve UICC (SIM card) certification for both MasterCard® and VISA®. Using NFC technology, these devices are now approved to be used like credit cards that are capable of using either MasterCard PayPass® or VISA payWave® payment terminals.
• NIST FIPS 140-2 – The FIPS 140-2 is part of the Cryptographic Module Validation Program National Institute of Standards and Technology (for US government) and the Communications Security Establishment (for Canadian government).

This is just a snapshot of the wide range of work that our team performs and the certifications that have been achieved by BlackBerry solutions. By adding new approvals all the time, we continue to lead the industry in enterprise mobile security.

What approvals and certifications do you require in order to bring BlackBerry devices into your business? Share in the comments below.

BlackBerry® PlayBook™ OS 2.0, having made its debut at CES 2012 in Las Vegas, recently joined the family of FIPS 140-2 certified BlackBerry solutions. Along with it, BlackBerry® Device Service, a component of BlackBerry® Mobile Fusion, is now also FIPS 140-2 certified. This is an important certification and a U.S. government computer security standard; many organizations and governments have FIPS 140-2 certification as a requirement for use within their networks.

Why does FIPS 140-2 certification matter?

Good question! Certifications in general, and this one in particular, are an indication not only of security and reliability, but also of a process in which independent third parties have provided validation. Beyond government, industries like health care and finance also trust in FIPS 140-2 certifications, as both involve the storing of personal and sensitive information.

Hearing from the Business Analyst community

Today we’ve caught up with Eugene Signorini, Senior Vice President of the Yankee Group’s research team, to chat about these recent certifications of BlackBerry PlayBook OS 2.0 and BlackBerry Device Service. Check out the interview below:

[Biz Blog]: Thanks for joining us today! Why don’t you share a bit of info on your experience and what you focus on in your work?

[Eugene Signorini]: I currently lead Yankee Group’s research team, which is 100% focused on mobility trends and issues. Personally, I focus on enterprise mobility, which includes mobile applications, mobility management, mobile device & OS issues for business, mobile payments, and mobile security. I co-founded Yankee Group’s enterprise mobility research practice in 2002 and have been focused on the topic for more than 10 years.

[Biz Blog]: What is the general significance of certifications like FIPS 140-2? Who does this apply to?

Certifications such as FIPS 140-2 provide an important benchmark for organizations when evaluating security credentials for certain devices and solutions. Essentially, for companies with the most stringent standards for security – whether those are for regulatory or compliance issues, or just standard company practice – benefit from these certifications because it removes uncertainty when approving vendors or suppliers. Knowing something is FIPS certified essentially provides a gold standard, a seal of approval for IT and security organizations. This level of security especially applies to government agencies, financial services firms, and health care, where regulatory and compliance standards are rigid, and require the highest levels of data and information protection.

[Biz Blog]: Is security still an important consideration concerning mobile devices?

Security remains top of mind for IT leaders when it comes to implementing mobility solutions. Yankee Group’s June 2012 Enterprise Mobility IT Decision Maker Survey reveals that security remains the number one obstacle for companies in supporting mobile workers. And mobile security ranks third among all IT priorities across the organization, coming behind only cloud-based services and mobile applications.

[Biz Blog]: What are some of the most prominent security challenges facing businesses today, and how are they reacting?

Most companies are increasingly concerned about managing mobile devices, and securing information on those devices. Specifically, the top three security challenges that we’ve seen enterprises facing are secure network access for mobile workers, mitigating potential loss of data or intellectual property, and prevention of malware across multiple devices and operating systems.

[Biz Blog]: How does security extend beyond simple password protection? Should consumers also be concerned about the security built into their smartphones and tablets?

Password protection is really the baseline level of security for mobile devices – it’s a no brainer and something all organizations should implement. After all, the easiest way to expose sensitive information is by a device falling into the wrong hands. However, organizations are quickly coming to the realization that there is more to security than just basic password enforcement. At the end of the day, it’s about protecting the information on the device both in transit and in static state. Consumers are slower to understand the threats related to information security, but recent events such as compromises to passwords on popular social media and consumer cloud sites raise awareness that consumers need protection as well. I anticipate that as more of these incidents occur, consumers will place a much higher value on device and personal information security.

[Biz Blog]: Thanks for joining us and sharing from your experience!

What type of security challenges is your business experiencing? What steps and approaches have been taken to meet them? Share in the comments below.

In his statement – available below via the BlackBerry SlideShare™ channel – Scott highlighted the need for the wireless industry to meet public demand for secure information and privacy, as well as practices of risk management and the provision of secure solutions for business and government. User awareness of security certifications of products is also a crucial priority when choosing the components of a secure solution. Check out the statement below for the full scoop:

When it comes to helping our customers build security into their own networks and mobility deployments, beyond the secure manageability included with BlackBerry® Enterprise Server and the new BlackBerry® Mobile Fusion, BlackBerry® Balance™ technology has been a groundbreaking approach to the way that data is managed on BlackBerry smartphones and BlackBerry® PlayBook™ tablets. To learn more about the BlackBerry Balance solution – which allows a robust user experience without compromising an organization’s ability to control corporate data – check out this Inside BlackBerry for Business Blog post and the BlackBerry Balance web site. How will BlackBerry Mobile Fusion and BlackBerry Balance work together? We’ve got info on that too.

For more information on BlackBerry solution security features and certifications, take a look at www.blackberry.com/security.

Is your place of work concerned about security? What steps have been taken to ensure the security of data, or prevent attacks? Share in the comments below.

All devices that utilize BlackBerry® 7 OS and BlackBerry® 7.1 OS are currently FIPS validated including the BlackBerry® Bold™ 9900, 9930 and 9790, BlackBerry® Torch™ 9860 and 9810, and BlackBerry® Curve™ 9360 and 9380 smartphones. FIPS 140-2 provides a standard that will be used by Federal agencies of the US and Canadian governments when these organizations specify that cryptographic-based security systems are to be used to provide protection for sensitive information. Modules validated as conforming to FIPS 140-2 are typically accepted by Federal agencies of both countries for the protection of sensitive information.

Research In Motion has a track record of meeting (and surpassing) government guidelines for secure mobile solutions. Our government customers know just how important a FIPS 140-2 certification is in their ability to deploy security-conscious mobile solutions, and RIM has been at the forefront. Awarded by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) as part of the Cryptographic Module Validation Program (CMVP), the FIPS 140-2 certificate gives security-conscious customers more confidence in knowing that their data and sensitive information is encrypted and protected in a manner consistent with this standard. By regulation and policy, products that are not FIPS-certified often cannot be purchased for use by the U.S. and Canadian governments.

Check out the press release, learn more about BlackBerry security, and find out more about the latest features of BlackBerry 7 OS and BlackBerry 7.1 OS smartphones to stay informed!

Is security a concern for your organization? What measures have been taken to protect corporate and sensitive data? Share in the comments.

© 2012 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion® and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners. FIPS certification does not imply product endorsement by NIST, the U.S. or Canadian Governments.

[ YouTube link for mobile viewing ]

Research In Motion Limited (RIM®) is focused on innovation in the mobile space, which means we’re always expanding our understanding of what our customers want and need in an ever-changing and accelerating mobile world. There’s a lot going on behind the scenes and a wide array of technology “building blocks” in the pipeline. In addition to the obvious expansion from smartphones into tablets through the BlackBerry® PlayBook™ tablet, RIM also has efforts around mobile device management, unified communications and VOIP, multi-core real time OS via QNX, mobile multimedia, and much more. One interesting example of these ‘building blocks” is the BlackBerry® Smart Card Reader.

The BlackBerry Smart Card Reader is a peripheral device that allows organizations, especially those in highly secure industries, to integrate their pre-existing, smartcard-based security mechanisms into the BlackBerry® solution, adding an additional layer of access security. Smart Card technologies are in line with security programs like the U.S. Department of Defense’s Common Access Card (CAC) program and the Homeland Security Presidential Directive 12 (HSPD-12), which calls for a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and to the employees of federal contractors.

Being part of the BlackBerry family, it comes as no surprise that the BlackBerry Smart Card Reader, just like the BlackBerry PlayBook tablet, has recently earned FIPS 140-2 certification. Specifically, the BlackBerry Smart Card Reader earned a Level 3 designation – the highest certification achieved by any wireless smart card reader on the market – verifying our advanced security features, including things like physical tamper evidence and self destruction of critical security parameters upon device breach.

Since I am always interested to hear more about our security story, I met up once again with Michael K. Brown, Director of Security Product Management, to discuss the BlackBerry Smart Card Reader and its new FIPS certification. Check out our conversation in the above video.

Do you have any questions about the BlackBerry Smart Card Reader? Please share in the comments.

(YouTube link for mobile viewing)

While the BlackBerry® platform is already synonymous in many circles with security, it’s important to our customers that the BlackBerry solution is not only functionally secure, but is recognized and certified as such. Our ongoing commitment to security was recently recognized as the BlackBerry® PlayBook™ tablet from Research In Motion® (RIM®) became the first (and only) tablet device to achieve Federal Information Processing Standards (FIPS) 140-2 security certification.

Beyond being a mandatory requirement for US government purchases and use, FIPS certification recognizes the BlackBerry platform’s ongoing commitment to security. This unwavering approach to product development is designed to enable our customers to focus on solving real business issues – navigating uncharted waters and moving their organizations forwards – instead of wasting time constantly trying to ‘batten down the hatches’ security-wise.

I was eager to congratulate my colleague Michael K. Brown, Director of Security Product Management at RIM, and was able to steal a few minutes of his time to chat further about what the FIPS certification of the BlackBerry PlayBook tablet means for our customers.

We have very significant news to share with our government customers – today the BlackBerry® PlayBook™ tablet officially received FIPS 140-2 certification, the first tablet to ever have received this certification. With FIPS 140-2 certification, the BlackBerry PlayBook tablet can now be used by the U.S. federal government with confidence, knowing that it meets their policy requirements for securing and protecting sensitive data.

This absolutely underscores the commitment by Research In Motion® (RIM®) to building products that meet stringent security requirements of the US Federal Government.

There are a wide variety of smartphone and tablet products available on the market today, many of which don’t meet the highest level of security standards that government agencies demand. The BlackBerry PlayBook tablet and BlackBerry smartphones are clear exceptions.

The BlackBerry PlayBook tablet is a natural extension to the hundreds of thousands of BlackBerry® smartphones that are used in the Federal Government today. With the BlackBerry® Bridge™ application, the BlackBerry PlayBook tablet can be paired with a BlackBerry smartphone to provide secure access to information on the larger screen while keeping the data stored safely on the BlackBerry smartphone. Secure network communication is also extended to the BlackBerry PlayBook tablet in this manner, designed to allow the government to be assured that they can securely access applications and other critical data.

I’m pretty excited about the opportunities that the BlackBerry PlayBook tablet presents for government agencies. Pilot projects to use the BlackBerry PlayBook tablet are already underway across the government and the use case scenarios are impressive. Give me a shout in the comments if you would like to discuss how the BlackBerry PlayBook tablet would fit into your agency or department.