If you want to do business with the Federal Government, then you may need the right product certifications to meet their specific standards and requirements. U.S. and International Governments are now mandating security certifications for products they are integrating into the technology infrastructure to help:
8 certifications related to products procured by the Federal Government directly support the above initiatives and you will need some or all of these credentials in order to do business successfully with the Government. These product certifications focus mainly on three areas:
Americans With Disabilities Act: (ADA) Section 508 was enacted to eliminate barriers in Information Technology, to make available new opportunities for people with disabilities, and to encourage development of technologies that will help achieve these goals. The law applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology.
Which agencies require this certification? | All Federal agencies when they develop, procure, maintain, or use electronic and IT. |
What is the estimated cost to earn this certification? | $27,000-50,000 |
How long does it take, on average, to earn this certification? | 3-12 months |
Do you need a sponsor to achieve this certification? | No |
What does this certification support? | This certification helps to eliminate barriers in IT and gives new opportunities to disabled persons. |
What products does this certification apply to? | Online or electronic technology. |
The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. In partnership with NIST, NIAP also approves Common Criteria Testing Laboratories to conduct these security evaluations in private sector operations across the U.S.
Which agencies require this certification? | U.S. Government |
What is the estimated cost to earn this certification? | $150,000 + |
How long does it take, on average, to earn this certification? | 12-18 Months |
Do you need a sponsor to achieve this certification? | No |
What does this certification support? | This certification ensures that IA and IA-enabled IT products acquired by the U.S. Government perform as advertised and satisfy security requirements. |
What products does this certification apply to? | Commercial Off-the-Shelf (COTS) IT products. |
FIPS PUB 140-3 [pdf doc], Security Requirements for Cryptographic Modules provides the security requirements that cryptographic modules are tested against. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met. Security Level 3 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.
Which agencies require this certification? | U.S. Government |
What is the estimated cost to earn this certification? | $40,000-170,000 |
How long does it take, on average, to earn this certification? | 6-12 Months |
Do you need a sponsor to achieve this certification? | No |
What does this certification support? | This certification provides cryptographic security testing for your products. |
What products does this certification apply to? | Cryptographic-based security systems that are used to provide protection for sensitive or valuable data. |
Need Help Identifying The Product Certifications You Need Do Business With The Federal Government?
Register for an upcoming Federal Sales Certification Training Course and gain the tactical skills you need to effectively sell to the Federal Government!
The DoD Risk Management Framework (RMF) describes the DoD process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of Information Systems (IS) and Platform Information Technology (PIT) systems. RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system life-cycle, promotes reciprocity to the maximum extent possible and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP).
The RMF process parallels the defense acquisition process from initiation and consists of six (6) steps:
Which agencies require this certification? | Department of Defense (DoD) |
What is the estimated cost to earn this certification? | ~ $150,000 |
How long does it take, on average, to earn this certification? | 6-9 Months |
Do you need a sponsor to achieve this certification? | Yes |
What does this certification support? | This certification supports the identification, implementation, assessment and management of cybersecurity capabilities and services |
What products does this certification apply to? | New and legacy systems within the system development lifecycle. |
The Department of Defense Information Network Approved Products List (DODIN APL) is established in accordance with the UC Requirements (UCR 2013) document and mandated by the DOD Instruction (DODI) 8100.04. Its purpose is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures.
The DODIN APL is the only listing of equipment by DOD to be fielded in DOD networks. DOD components are required to fulfill their system needs by only purchasing DODIN APL listed products, providing one of the listed products meets their needs. This means the DODIN APL must be consulted prior to purchasing a system or product. If no listed product meets the organizations needs, they may sponsor a product for testing that does meet their needs.
Which agencies require this certification? | Department of Defense (DoD) |
What is the estimated cost to earn this certification? | $35,000-$65,000 |
How long does it take, on average, to earn this certification? | 9-12 Months |
Do you need a sponsor to achieve this certification? | Yes |
What does this certification support? | This certification provides a list of products that have completed Interoperability (IO) and Cybersecurity certification and can be fielded in DOD networks. |
What products does this certification apply to? | Equipment to support the Defense Information Support Network (DISN) mission. Such equipment includes routers, switches, firewalls, cybersecurity tools and more. |
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and security. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.
FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. FedRAMP established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.
Which agencies require this certification? | Government Wide |
What is the estimated cost to earn this certification? | ~ $400,000 + |
How long does it take, on average, to earn this certification? | 8-9 Months |
Do you need a sponsor to achieve this certification? | Yes |
What does this certification support? | This certification ensures effective, repeatable cloud security for the government. |
What products does this certification apply to? | Cloud products and services. |
An Authorization to Operate (ATO) is a formal declaration by an Authorizing Official (AO) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations. All agencies handle the ATO process differently, to develop a complete understanding of the process, speak with the targeted agency's security compliance specialist. Here s an example of a typical ATO process for a cloud.gov customer system.
Which agencies require this certification? | Government Wide |
What is the estimated cost to earn this certification? | Free |
How long does it take, on average, to earn this certification? | ~12 Months |
Do you need a sponsor to achieve this certification? | Yes |
What does this certification support? | Authorizes operation of a Business Product and explicitly accepts the risk to agency operations. |
What products does this certification apply to? | Systems that typically include staging and production spaces, applications, and service instances that comprise sub-components of the system. The exact definition and boundary of “system” is up to agency designating the ATO. |
Thee Cybersecurity Maturity Model Certification (CMMC) is a more recent certification developed under The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The goal of CMMC is to ensure that cybersecurity remains at the forefront of any acquisition by assessing the level of protection of controlled unclassified information (CUI) at various stages of the the supply chain as a means to reduce risk of specific cyber threats. CMMC builds upon existing regulation (DFARS 252.204-7012).
This certification applies to Defense Industrial Base (DIB) sector and requires that these companies obtain the certificate through authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs).
Which agencies require this certification? | Department of Defense (DoD) |
What is the estimated cost to earn this certification? | Costs for the CMMC are not fully understood at this point but officials working on the standard estimate costs for the first level could be up to $5,000 and then will continue to rise for each maturity level after that. |
How long does it take, on average, to earn this certification? | Certification needs to be completed every 3 years. |
Do you need a sponsor to achieve this certification? | No |
What does this certification support? | This certification provides the DoD with the assurance that a DIB company can adequately protect CUI throughout multiple tiers of the supply chain. |
What products does this certification apply to? | Any product procured by the DoD. |
The Cyber Supply Chain Risk Management (C-SCRM) process was developed by NIST in order to better identify, assess and mitigate the inherent risks associated with the information, communications, and operational technology (ICT/OT) supply chains. This process addresses supply chain threats and vulnerabilities for any product of service at any stage from design and development to acquisition, maintenance and end of life.
Which agencies require this certification? | Department of Defense (DoD) |
What is the estimated cost to earn this certification? | This is an ongoing process that needs to be followed rather than a one-time investment in certification. |
How long does it take, on average, to earn this certification? | Ongoing |
Do you need a sponsor to achieve this certification? | No |
What does this certification support? | Supply chain risk management. |
What products does this certification apply to? | Cybersecurity supply chains. |
The Trade Agreements Act (19 U.S.C. & 2501-2581) of 1979 requires the U.S. government may only acquire products that are U.S. made or have been “substantially transformed” in the US (Or in a TAA compliant country) prior to purchase. Many countries are TAA compliant, those that are not include, but are not limited to:
Which agencies require this certification? | All Federal agencies |
What is the estimated cost to earn this certification? | Costs for maintaining compliance are incurred during the manufacturing process and cannot be quantified here. |
How long does it take, on average, to earn this certification? | Since compliance is integrated with the manufacturing process, timelines vary for how long it takes a company to adjust their processes to meet TAA requirements. |
Do you need a sponsor to achieve this certification? | No |
What does this certification support? | This certification ensures that a product procured by the government is not manufactured within a country not approved by US compliance standards. |
What products does this certification apply to? | Any product procured through a GSA MAS |
The Networthiness Certification Program manages the specific risks and impacts associated with the fielding of Information Systems (ISs) and supporting efforts, requires formal certification throughout the life cycle of all ISs that use the Information Technology (IT) infrastructure, and sustains the health of the Army Enterprise Infrastructure.
Networthiness Certification is concerned with the identification, measurement, control, and minimization of security risks and impacts in IT systems to a level commensurate with the value of the assets protected. Networthiness Certification applies to all organizations fielding, using, or managing ISs on the Army Enterprise Architecture/LandWarNet (LWN), to include Commercial Off-the-Shelf (COTS) and Government Off-the- Shelf (GOTS). In accordance with AR 25-1, paragraph 6-8 activities must obtain a Certificate of Networthiness (CoN) before they connect hardware/software to the LWN.
NOTE: Per ARCYBER OPORD 2018-097, published April 20, 2018, the RMF Assess Only process will be implemented NLT July 2, 2018 to replace the Army CoN process. The OPORD and NETCOM Operational TTP are both published on the RMF Knowledge Service which is available at the following link: https://rmfks.osd.mil/ (CAC Required).
Which agencies require this certification? | Army Enterprise Architecture/LandWarNet (LWN) |
What is the estimated cost to earn this certification? | Free |
How long does it take, on average, to earn this certification? | up to 12 Months |
Do you need a sponsor to achieve this certification? | Yes |
What does this certification support? | To determine security, interoperability, supportability, sustainability, usability, and compliance with Federal, DoD, and CC/S/A regulations. |
What products does this certification apply to? | Commercial Off-the-Shelf (COTS) and Government Off-the- Shelf (GOTS) hardware and software products used by organizations fielding, using, or managing ISs. |
This post was updated to include new certification requirements on October 25, 2021.
Then request a FREE Consultation from Sanctum Federal! Our team has successfully built several Federal sales startup practices and secured millions of dollars of revenue directly from the Federal market and our mission is to help other organizations do the same!
Use the form below to request your FREE Federal Sales Consultation and learn what methods you can leverage to increase you or your team's ability to sell to the Federal Government!