Companies don't need any additional reasons to skimp out on security.
The money could probably be more wisely spent if not following FIPS but without FIPS the average company wouldn't direct that money towards security at all.
I wouldn't say nothing. It is intended to ensure some level of security. And in some ways it can lead to decreased security if you comply with it (for example, if a vulnerability is found in your crypto library, you have to wait for the fix to be "validated" before you can patch it).
But yeah, complying with FIPS doesn't necessarily mean you are secure, and it is definitely possible to be secure without being FIPS compliant.
I may be thinking more about FedRAMP in general rather than just FIPS140-3, but mandating things like keeping user passwords out of logs is a security improvement.
And the average company needs to be dragged kicking and screaming to care about security at all.
Doesn’t it at least keep snake oil crypto out of government? If it were removed it should be replaced by something. No standard would lead to a lot of crap being deployed.
There's a difference between FIPS validation and FIPS-approved algorithms. We can say "you have to use the FIPS-approved algorithms", but skip the useless validation step.
tptacek|7 months ago
thayne|7 months ago
But yeah, complying with FIPS doesn't necessarily mean you are secure, and it is definitely possible to be secure without being FIPS compliant.
dlock17|7 months ago
And the average company needs to be dragged kicking and screaming to care about security at all.
api|7 months ago
dadrian|7 months ago