Monday, February 4, 2013

A Quick Guide to Getting a Product onto the GSA FIPS 201 Approved Products List

by Steve Weingart

Going through the evaluation process and getting your product onto the GSA Approved Products List (APL) can be a trial, but if you follow these steps, it just might be a lot easier:

  1. Visit the GSA FIPS 201 website ( and obtain a login (under ‘2’ on the left side). Then go to the right side of the page and click on the Supplier’s Handbook, which will tell you about the process and rules.  
  2. Under Approval Procedures (AP), a bit lower on the right, figure out which category or categories are applicable for your product, and then download the Approval Procedure package(s) for your product(s).
  3. In the AP, section 3.1, table 1 lists all of the requirements.  There are four (4) kinds:
    a.    Vendor Documentation Review (VDR) - is performed by the lab on the vendor’s product documentation.
    b.    Vendor Test Data Report (VDTR) - shows the results of the tests that must be performed by the vendor or a consultant; the lab is not allowed to perform these tests, and the results are detailed in the VDTR and reviewed by the lab.
    c.    Lab Test Data Report (LTDR) - shows the results of the tests that the lab performs. These tests are defined in a separate document called the Test Procedure. The Test Procedures, for categories that have them are in the Test Procedure section of the website, on the right under the APs.  The lab produces the LTDR, if one is required, and it is submitted to the GSA along with the final report.
    d.    Certification (C) - to fulfill these requirements, you must get some other certification outside of the GSA program.  The typical requirements are FIPS 140-2 for cryptography, MINEX for fingerprint template matching or FIPS 201 NPIVP by NIST for PIV cards or Middleware.  Some of these certifications can take quite a long time to obtain (up to a year, or more),  so you should get these started, if you need any of them, before you start the GSA PIV evaluation process.
  4. Now that you know the requirements, you can get any needed certifications and make any needed design updates. It is time to pick your lab, get training for your staff and a gap analysis for your product, if needed.
  5. Once you begin the testing process with the lab, you will fill out the web application form for your product on the GSA website and assign the case to your lab.  At this time, you will send your VTDR with any supporting evidence, product documentation and the three other required forms from the AP package to the lab. Those three forms are a spreadsheet showing where to look in each of your documents for the evidence for each requirement and two affidavits; one attesting to the truth of your company statements and the other one having to do with Federal Acquisition Regulations.
  6. One really important note: By the time you complete the submission, you will have had to enter the product name, the version numbers for the software, firmware and hardware and the company name and address about 6 times, so make sure that each entry is EXACTLY the same as all others. They must match, including case, punctuation and spaces, etc.
  7. Once the data and docs are available to the lab, the lab testing and review of documentation and the VTDR begins.  If any nonconformities are found, they can be corrected and the test process iterated, until the product passes all tests and the docs meet all requirements.
  8. Once the product meets all of the requirements and the reports are complete, the lab submits the package to the GSA for approval.

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.