#1323 Employ FIPS Validated Cryptographic Library or Get FIPS Validation for Existing Library

[David Cheeseman]

Request that 7zip employ a FIPS 192 validated library or get certified as FIPS 192 compliant. This would make 7zip a viable option for encryption at rest for companies trying to meet NIST 800-171 or similar compliance requirements. One compliant library which may be viable for use is OpenSSL's FIPS Object module. Full list of applicable modules is listed here:

http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html

Validation test proceedures are defined here:
http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf

Testing labratories which can certify implementations of AES are listed here:
http://csrc.nist.gov/groups/STM/testing_labs/index.html

[Jason Legum]

Cybersecurity Maturity Model Certification (CMMC) compliance has become an essential part of some US government contracts. Part of that compliance will include encrypting files using a FIPS 192 compliant application. This library would help achieve that goal.

[Conrad Poelman]

@ipavlov, I love 7-Zip! Many companies give away free software but charge for FIPS-compliant versions. So a FIPS-compliant version could become a revenue source.

That said, license management is a hassle no one wants to deal with, so perhaps a "7-Zip FIPS 140 Compliance Coalition" of companies could fund 7-Zip to maintain FIPS-compliance, and let you still give it away for free. Google shows FIPS 140-3 Level 1 compliance can cost US $20,000+, so e.g. my small company could kick in US $2000. Get @ jlegum and 30+ companies on board, and you could both make users happy and make a little profit. I don't know if the math really works out, but it's just a thought.

Thanks again for making 7-Zip!