Questions to ask your vendor about their proposed security 'solution':
• Does the solution handle both data-at-rest and data-in-transit?
• Does it secure e-mail?
• Is it easy to use?
• Does it integrate seamlessly into standard office applications?
• Was the solution designed, developed, and manufactured within the U.S.?
• Is support for the solution U.S.-based?
• If DoD security clearances are an issue, what percentage of the company’s development and technical support staff have clearances at the required level?
• Does the solution employ a FIPS 140-validated module for all cryptographic operations? (FIPS 140-1 and 140-2 are equally acceptable according to NIST and CSE guidelines.)
• Does it use NSA Suite B algorithms wherever appropriate?
• Does the solution support the latest X.509v3 certificates and CRLs, with fully IETF PKIX-compliant path discovery and validation?
• Is the solution’s certificate support ‘Federal Bridge’ enabled (according to the latest NIST specifications)?
• Has the solution been approved for operational use within the DoD and U.S. Intelligence Community?
• Is the solution DISA JITC-certified for interoperability with the DoD PKI?
• Is the solution trusted for use in specific SECRET level programs within DoD?
• Does the solution support smartcards and/or other hardware security modules, such as the DoD CAC?
• Does the solution interoperate across all computing platforms deployed within your enterprise?