Policy: FIPS software releases
07-27-2013 08:12 AM
I wanted to provide some information on how we currently post FIPS software releases on our support site (http://support.arubanetworks.com) in hopes that it will reduce confusion and help people know what to expect.
In the past, we waited until a particular software release was FIPS validated (either through initial validation, revalidation, or change letter prcess) before we posted it on the website. This made it easy for customers - if the release was available for download, it was FIPS validated. More recently, we have begun posting software as soon as it is officially released. This is primarly for two reasons:
- A number of customers run FIPS software who are not required by law to do so. This includes commercial customers as well as non-US government customers. These customers have requested that we not hold software back awaiting validation - often there are bug fixes or new features that they need access to.
- Even within US government customers, there are different degrees of tolerance for non-validated software. By this point Aruba has established a track record in FIPS validations, and a number of IA people are comfortable that if we state a release is FIPS compliant, it is (as long as actual validation follows in a reasonable period of time.) We have heard from these types of customers, "If you have a new release with bugs fixed, post it and let us decide if we want to run it. We get a limited number of maintenance windows, so give us the most bug-free software even if it isn't validated."
That said, this has been a change for people who previously downloaded software from us and ran it without checking the NIST website first. To help those people out, we're going to start indicating FIPS status on the support website by creating a new folder called "FIPS validated" and placing only software images that are listed on the NIST website into that folder. We have also created a sticky thread on this forum which will always list the latest validated release, along with links to the NIST website so you can easily check it. We recommend you subscribe to this forum so that you'll be emailed updates when they happen.
On a related note, we're starting to roll out ArubaOS 6.3. Starting with 6.3, there is no longer a separate software branch and release schedule for FIPS releases. Every single 6.3 image we build will include a FIPS and a non-FIPS image, and it's our intention to post both on the support site. By default all FIPS images will be posted in the non-validated folder; we'll move them to the validated folder after validation happens (which will not be for every single release).
Please reply if there are questions, comments, or suggestions. I'm happy to try to make this easier for everyone in any way that I can.
Jon Green, ACMX, CISSP