Importance of Common Criteria and FIPS 140-2 Certification for SIEM Solutions

Computing technology and applications are increasingly becoming the backbone of businesses across industries. Most transactions, processes and data today are in a digital format and are stored, processed and accessed through software applications. This reliance highlights the importance of ensuring that hardware and software technologies are manufactured and developed with adequate inbuilt security measures.

Through the National Institution of Standards and Technologies (NIST), the U.S. government has led the way in defining standards and enabling formal certification of inbuilt security levels for a broad range of computing technologies. Through FISMA, the government is also requiring that federal agencies invest in technologies that provide adequate levels of inbuilt security measures. Since SIEM solutions are widely relied upon to detect security threats and satisfy audits, it is critical that they meet the dominant standards in place.

Common Criteria

The Common Criteria is a framework for software and hardware vendors to implement and certify defined levels of security within their products. Common Criteria is accepted by a number of organizations internationally as a definitive standard for proving that the integrity and security architecture of a technology has been tested and validated against known criteria, and performed by an accredited third-party source.

ArcSight ESM has achieved the Common Criteria certification for Evaluation Assurance Level 3 Augmented (EAL3) from the National Information Assurance Partnership (NIAP). Tested by the independent SAIC Common Criteria Testing Laboratory, this certification provides third party validation as to the integrity and quality of the security features of ArcSight ESM. 

FIPS 140-2

Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules. The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to FIPS 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or designated information (Canada).

SIEM solutions collect, store and analyze log data from numerous infrastructure event sources, often across several locations. Unauthorized access and modification to these logs can enable a malicious user to hide their actions, and can prevent the SIEM solution from detecting a potential security threat. It can also call audits into question because the log data used for the audit may have been altered. To protect against that risk, SIEM solutions should encrypt logs on all communication and transport channels and use hashing algorithms to ensure integrity. Additionally, these cryptographic modules should meet the FIPS 140-2 standard to avoid algorithms with known weaknesses and vulnerabilities. ArcSight Connectors, ArcSight Logger and ArcSight ESM can all be configured to use FIPS 140-2 certified cryptographic modules.


Note: In order to address security vulnerabilities, ArcSight products may ship with a patch of a FIPS certified component. For any questions regarding FIPS certification, please contact legal-info@arcsight.com .