51

Windows Phone picks up all nine FIPS 140-2 certifications, clears path for government customers

Lumia 1020 Windows Phone

Good news if you’re a Windows Phone lover and happen to work for the United States or Canadian governments. The mobile operating system you use all the time has picked up the required cryptographic modules from the US CMVP and Canadian CSEC validation programs. Details after the break.

While Windows Phone is a fine operating system for both consumer and enterprise customers, it’s been held back from any government action. What kept it? The lack of support for some validation certificates that are issued by the Cryptographic Module Validation Program (CMVP-United States) or the Communications Security Establishment (CSE-Canada).

Windows Phone just received all nine FIPS 140-2 validation certificates. FIPS stands for Federal Information Processing Standard and was determined by a publication titled Security Requirements for Cryptographic Modules. The purpose of giving a device, like Windows Phone, FIPS 140-2 is to standardize and coordinate requirements for cryptography modules in both software and hardware. This will allow government agencies and other regulated industries (healthcare and finance) to collect, store, transfer, share, and disseminate sensitive but unclassified information.

What’s this mean for Windows Phone? It means government customers in the United States and Canada can validate and deploy Windows Phone devices to their employees. You won’t be seeing James Bond with one soon (he deals with classified information), but it’s a good win for Windows Phone and another step towards increased market share.

If anything of this makes sense, you’ll want to hit up the MSDN blog post below to get the details and view all nine FIPS 140-2 certificates that Windows Phone received.

Source: MSDN; Thanks, Vince B., for the tip!

-
loading...
-
loading...
-
loading...
-
loading...

Reader comments

Windows Phone picks up all nine FIPS 140-2 certifications, clears path for government customers

51 Comments

Great news! These will also mean that opening documents from a SharePoint or other web-service with medical data can be considered secure thanks to other security policies.

Yes, I remember reading Obama was the first American president who wanted to use a smartphone so they got him a customized Blackberry.

I believe Presidents have carried BlackBerry devices for quite sometime.  They are, almost without exception, the most secure handheld devices.  You can approach that level of security on iOS/Android/WP using 3rd party device management software combined with content sandboxes like Good for Enterprise.
Depending on the industry you're in, strong mobile device security may be required by either regulation or customers.   FIPS certification is a good step toward that, but is not generally sufficient in and of itself.  An analogy would be installing the best locks on all your doors, but leaving them unlocked and all the windows open.

All Blackberry data routes through Canadian Datacenters, so they won't be allowed for Classified information. Last I knew the only phone certified for classified info was the Sectera Edge with WinMo 6 that was posted above.
 

FIPS 140-2 compliance is a big deal in the goverment, military, and medical spaces.

I work in the confines of the former two spaces and it's one of many requirements in the classified information processing accreditation process, so we could very well see Bond with a Windows Phone at some point.

(The lack of any sort of VPN/IPsec, however, would still be a blocker. But from what I've read on WPCentral, we may be getting that too in "Blue". Exciting stuff.)

After Blue... What's next? Serious question because GDR3 and Blue are going to make a lot of people happy if they aren't already

What does it mean? The us government can successfully access all encrypted data and it is good to be roled out?

Umm, pardon my ignorance, but I have been wanting to ask this question. That phrase "after the break" would sometimes appear in the article. But, where is the break?

After the break is usually a term used for when the programming begins after advertisements. So if you don't see any adverts they are using the term wrong anyway.

An "AD" or a "commercial" is usually between the paragraphs and the "after the break" is like saying " will be right back after these messages" that's how sites like this get paid.

Specific vendor versions. It's pretty much the same situation with all Open Source Software. Certain distributions of Linux get certified but the whole Open Source OS can't be as different distributions might differ in ways that impact the certified properties.

Actually, this is much more than Windows Phone 8. It also includes Server 2012, Windows 8 Enterprise, Windows RT and it includes FIPS compliance for BitLocker across the stack. There is third party support for Android 4.0 via Samsung and a few other providers. Apple is also FIPS compliant for iOS and OSX up to 10.5 and iOS 6 but no other single software solution other than Microsoft is compliant across all nine NATIVELY. If I'm not mistaken, you needed third party solutions to support FIPS compliance on Windows until now. Uh yeah, calling this a big deal is an understatement. BlackBerry is not natively FIPS compliant according to the site.

FIPS 140-2 compliance simply means that the modules implement the cryptographic algorithms properly, and don't leak secret information to other parts of the application or other applications. Earlier versions of Windows were also FIPS 140-2 compliant. NIST certifies modules not whole products, but they require a re-certification of major changes to each module.
 
Windows Phone 7.x uses the Windows CE Enhanced Cryptographic Provider from CE 6.0 (later re-certified for CE 7.0, aka Windows Embedded Compact 7), certification number 825: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#825.
 
There are nine certifications in this round because Microsoft submitted nine modules for certification. It doesn't indicate that Microsoft's modules are better or worse than anyone else's.

This is true. The compliance refers to individual modules but the fact that those modules also apply throughout the stack is significant given the shared kernel. This also includes BitLocker so that is a big plus. Beyond that, FIPS compliance for previous versions of Windows is limited to the one you mentioned but I'm not aware of FIPS compliance for any other versions of Windows (natively). And you are also correct that compliance doesn't refer to quality. It is either compliant or it isn't but this is a significant achievement given the depth and breadth of the certifications in question. I would love to see DirectAccess on this list as well. Nothing would make me happier than to see client VPN disappear altogether.

Yet management capabilities for Windows Phone 8 is a joke. Even in Windows Intune, iOS is better supported than WP.

I expect the management capabilities to improve for Windows Phone 8.1 in much the same way that they have for Windows 8.1 Pro / Enterprise and Windows 8.1 RT. If anything, they are breaking new ground with EAS support for business data removal and Open MDM management for Windows 8.1 Pro / Enterprise.

Actually, we still need a non camera phone for most of us. I'm still stuck with my blackberry at work while having to keep my 920 locked in my saddle bag.

Don't forget. BlackBerry is the only 1 with ATO status on DoD networks. (Authorized To Operate)