Review of FIPS certification newsworthy
Recently there have been a lot of stories involving the security flaws of some high profile encrypted flash drives. Some follow up articles have claimed the initial news to be nothing more than FUD (Fear, Uncertainty, Doubt) stories, an attempt to influence public perception with negative information on what is essentially a nonstory.
We, however, disagree. If there is a security flaw in what is supposed to be a secure flash drive, one certified by the U.S. government and used for sensitive data, this is extremely newsworthy. The fact that they are FIPS certified only increases its newsworthiness.
Many government agencies are required to purchase FIPS validated/certified products. This requirement is based on the belief that if a device is FIPS certified, it is secure enough for sensitive government information. While FIPS only validates cryptographic functionality of products, there may be additional security aspects reviewed in the future (Common Criteria for example). NIST's stance, that they are "actively investigating whether any changes in the NIST certification process should be made in light of this issue" may indicate that they need to also review items that have traditionally been treated as out-of-scope from a FIPS standpoint, but are certainly security relevant. One example would be a review of the cryptographic boundaries of security products.