When engaging an electronic discovery vendor make sure that they provide an adequate level of data security for encrypted data transferred over a network, by checking to see if they are validated under FIPS 140-2. Federal Information Processing Standard 140-2 is a standard set up for the National Institute of Standards and Technology (NIST) on Security Requirements for Cryptographic Modules. The validation process involves evaluation by an independent laboratory and review of the lab's report by a joint U.S. / Canadian body named the Cryptographic Module Validation Program. Be sure to distinguish between vendors that claim to be FIPS 140-2 compliant and those which have FIPS 140-2 validation. A FIPS 140-2 compliant organization will merely be using a cryptographic module of another business which obtained FIPS 140-2 validation.
FIPS 140-2 validation involves a review in 11 different areas:
An organization will receive a grade from 1 to 4 in each of these areas and an overall score, with 4 indicating the highest level of security.
Cryptographic Module Specification
Cryptographic Module Ports and Interfaces
Roles, Services and Authentication
Finite State Model
Cryptographic Key Management
Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
Mitigation of Other Attacks