FIPS 140 - 2 for the Cisco 5921 ESR

Glad to see that the 5921 is FIPS validated.  Do you have any instruction on how to implement the Zeroize function both in the IOS and the hardware?

Hi Wray,

Thank you for your question, I checked with our developers for the context of how the zeroize feature is implemented per FIPS 140. It is as follows:

For the certification purposes, we have tested the Crypto key zeroization for c5921.

This could be done by commands such as "crypto key zeroize".

Regards,

Frank Columbus

Technical Marketing Engineer, Embedded Products

Internet of Things Systems and Software Group

Cisco Systems, Inc.

Thanks Frank. I thought maybe there was a hardware button that could have been implemented on a serial port. If the government is good with using an IOS command, then that’s good enough for me!

Thanks again.

Wray Upchurch

Manager, Product Management

wray.upchurch@datapath.com<mailto:%20wray.upchurch@datapath.com>

Office: +1 678 597 0423

<http://www.datapath.com/>

2205 Northmont Pkwy, STE 100

Duluth, GA 30096

This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains information that is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Hi Wray,

Please remember that the 5921 is a software router.

A hardware button on the integrator's custom hardware combined with an application that monitors the button and programmatically logs into the router to issue the "crypto key zeroize" command could be done via a Linux TAP interface.

You could later in your custom app delete the router config file as it is located in the router's home directory, "/opt/cisco/c5921", depending upon how much you want to clear.

Regards,

Frank Columbus

Technical Marketing Engineer, Embedded Products

Internet of Things Systems and Software Group

Cisco Systems, Inc.

Yep. Fully aware it’s a SW router.

Wray Upchurch

Manager, Product Management

wray.upchurch@datapath.com<mailto:%20wray.upchurch@datapath.com>

Office: +1 678 597 0423

<http://www.datapath.com/>

2205 Northmont Pkwy, STE 100

Duluth, GA 30096

This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains information that is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.