Security Solution Checklist

Questions to ask your vendor about their proposed security 'solution':

• Does the solution handle both data-at-rest and data-in-transit?

• Does it secure e-mail?

• Is it easy to use?

• Does it integrate seamlessly into standard office applications?

• Was the solution designed, developed, and manufactured within the U.S.?

• Is support for the solution U.S.-based?

• If DoD security clearances are an issue, what percentage of the company’s development and technical support staff have clearances at the required level?

• Does the solution employ a FIPS 140-validated module for all cryptographic operations? (FIPS 140-1 and 140-2 are equally acceptable according to NIST and CSE guidelines.)

• Does it use NSA Suite B algorithms wherever appropriate?

• Does the solution support the latest X.509v3 certificates and CRLs, with fully IETF PKIX-compliant path discovery and validation?

• Is the solution’s certificate support ‘Federal Bridge’ enabled (according to the latest NIST specifications)?

• Has the solution been approved for operational use within the DoD and U.S. Intelligence Community?

• Is the solution DISA JITC-certified for interoperability with the DoD PKI?

• Is the solution trusted for use in specific SECRET level programs within DoD?

• Does the solution support smartcards and/or other hardware security modules, such as the DoD CAC?

• Does the solution interoperate across all computing platforms deployed within your enterprise?