Selling to the US Government can require getting FIPS (Federal Information Processing Standards) certification.Many storage products are based on Linux and Open Source code, which by themselves do not promise compliance with any standards. Sometimes the storage protocols themselves are incompatible with the required FIPS-140 standards. Sometimes the Open Source code is old enough that they still hand-craft their own crypto code dating from a time when the US Government tried to restrict some crypto algorithms). This talk will cover an engineers perspective on what getting FIPS-140 certification for a product requires in terms of code changes, testing, and compliance.

Welcome to the FIPS trenches, here is your shovel. Start digging!