Stay up to date on all of Cygnacom’s News.

Media Inquiries:

Steph Haugan

Cygnacom Cybersecurity Warrior Ella Schwartz Wins Top Honor for Her Children’s Book Aimed at Advancing Interest in Cryptography

January 23, 2020
Drawing on 20 years of experience at Cygnacom, Schwartz pens Can You Crack The Code? that will distribute to schools nationwide.

MCLEAN, VIRGINIA January 23, 2020 — Cygnacom (, a global vanguard in cybersecurity consulting, announces that Ella Schwartz, senior manager, federal professional services at Cygnacom, has received a prestigious award from the Association for the Advancement of Science (AAAS). Schwartz’s book, Can You Crack The Code?: A Fascinating History of Ciphers and Cryptography was named the winner of the 2020 AAAS/Subaru SB&F Prize for Excellence in Science Books in the Hands-on Science Book category. The book seeks to engage young minds in cryptography through compelling historical anecdotes, scientific backup and do-it-yourself (DIY) projects.

As part of this award, Subaru of America will purchase thousands of copies of the book and distribute them to schools nationwide along with a curriculum to help teachers integrate the book into their lesson plans. Schwartz and her fellow winning authors will be honored at the AAAS Annual Meeting in Seattle, WA, February 13-16, 2020.

“Throughout two decades at Cygnacom, I’ve had the opportunity to be mentored by the top experts in the field and work on important, cutting-edge cybersecurity initiatives,” said Schwartz. “Armed with this experience, I wrote Can You Crack The Code? with the hope of inspiring our next generation of cybersecurity warriors.”

At Cygnacom, Schwartz directs a team of technical consultants that deliver security consulting, architecture and system integration services to the federal government. As an expert in her field, Schwartz has been invited to lecture and speak on a variety of industry topics including security, cryptography and history. She has also taught courses in cybersecurity and led clinics for both children and adults.

“We’re thrilled that Ella has won this award and we’re grateful to have Ella on the Cygnacom team,” said Peter Bello, president of Cygnacom. “It’s incredible that one of our own experts is helping America’s youth focus on topics that matter to our future. Cybersecurity is a fascinating, increasingly important field and we’re so proud to drive growth and education in the world of science and technology.”

Visit to learn more about Cygnacom’s industry-leading cybersecurity services. For more information about Can You Crack The Code, visit

Cygnacom Hires Cybersecurity Veteran Wendy Murphy as Senior Director of Sales

November 5, 2019
Murphy Will Leverage 30-plus Years Working in the Washington, D.C. Federal Government Market to Raise Cygnacom’s Profile and Grow Sales.

MCLEAN, VIRGINIA November 5, 2019 — Cygnacom, a global vanguard in cybersecurity consulting, announces the appointment of Wendy Murphy to head Cygnacom sales. Murphy brings three decades of experience creating and implementing high-impact sales strategies that produce lasting revenue growth.

In her position as senior director of sales at Cygnacom, Murphy draws from her experience working as an independent consultant to a variety of Beltway IT services companies as well as positions she held at visionaries including VariQ, Red Hat, Dell, Unisys and Meridian MZero. Throughout her career, Murphy has formed thousands of enduring relationships with customers in both the public and private sectors. She brings an array of well-honed skills to Cygnacom—channel/system integrator development, new business and market penetration, end-to-end complex enterprise solutions and more.

“We’re thrilled to welcome Wendy Murphy to the Cygnacom team,” said Peter Bello, president of Cygnacom. “She is a trusted partner in the cybersecurity industry with strong relationships and she is a great asset to our growth initiatives.”

Murphy’s IT and cybersecurity credentials are impressive. While at Dell, she more than doubled the company’s Treasury business market share in just two years and her team was named the #1 Federal Civilian Team twice in one year. Working at Red Hat, she was responsible for explosive growth in the company’s Federal Reserve Bank account and migrated the IRS to an enterprise Red Hat operating system. In addition, Murphy’s mediation skills have been enlisted by Unisys during high-level meetings with the Federal Government.

“I’m excited to help Cygnacom build on its mission to help clients leverage security to accelerate growth. I’m proud to be among industry leaders and visionaries,” said Murphy. “I look forward to growing Cygnacom’s business and exceeding the goals they set for me.” 

Cygnacom’s visionary leadership team consisting of Peter Bello, Isadore Schoen and Neal Fuerst were pioneers in PKI technology. They implemented some of the first PKI solutions for U.S. government and commercial companies in the 1990s. 

Cygnacom Launches Key Recovery Server for Entrust Security Manager to Securely Archive and Access Private Keys

October 23, 2019
Cygnacom KRS enables deployment of key recovery services that are compliant with a variety of key recovery policies and models.

MCLEAN, VIRGINIA, October 23, 2019 Cygnacom (, a global vanguard in cybersecurity consulting, announces the launch of its Key Recovery Server (KRS) for Entrust Security Manager. Cygnacom KRS is an empowering solution to the increasingly common challenge of enabling and maintaining access to encrypted information when the original private key is lost, corrupted or otherwise unavailable.

Cygnacom KRS provides a highly secure secondary means for accessing private keys used to encrypt information. When a new public/private key set is issued by an organization, the KRS automatically archives a copy of the private key, which is then stored securely within the Entrust Security Manager Database. When private keys need to be recovered, the specially designed Cygnacom Key Recovery software provides a streamlined workflow for executing two-party review and authorization of the key recovery request.

“Cygnacom KRS provides an intuitive interface and flexible features that implement the controls required for key recovery workflow, while providing secure chain of custody for private keys as required by policy to maintain trust and compliance across the PKI,” said Peter Bello, president of Cygnacom. “It will streamline accessing private keys for security professionals and law enforcement agencies.”

End users require key recovery for forgotten passwords, lost hardware tokens, expired keys and corrupted keys due to hardware or software failure. In turn, organizations need key recovery for user errors, absent or terminated employees, outbound and inbound email analysis and audit requirements. In addition, law enforcement criminal investigations, surveillance and national security activities are aided by key recovery.

Cygnacom KRS is compliant with a variety of established key recovery policies including the Common Policy Working Group and the U.S. Department of Defense PKI. It allows organizations to build customized key recovery workflows—while enabling secure control by easily limiting key recovery decisions to specific groups and implementing multi-party oversight and authorization. Once a key is recovered, it is securely delivered to the requestor in PKCS #12 or onto hardware devices.

To learn more about Cygnacom KRS and streamlined, secure private key recovery, visit

BeyondTrust and Cygnacom Awarded Level 2 FIPS Validation for Remote Support Appliance

July 8, 2019
BeyondTrust selected Cygnacom Solutions, a one-stop provider of comprehensive U.S. standards-based security testing and evaluation services for IT and cryptographic products, in order to obtain FIPS 140-2 Level 2 validation

ATLANTA, July 08, 2019 (GLOBE NEWSWIRE) — BeyondTrust, the worldwide leader in Privileged Access Management, today announced it has been awarded a Level 2 Federal Information Processing Standards Publication (FIPS) 140-2 validation for its remote support B300 appliance. This recertification makes the B300 FIPS appliance the only remote support solution to achieve FIPS 140-2 Level 2 validation. BeyondTrust ensures customer data remains safe from the most sophisticated methods of intrusion.

Government agency systems throughout the world hold highly confidential information that needs strong protection, to ensure it never risks falling into the wrong hands. Due to the increasing sophistication of state actors and others intent on breaching defenses and exploiting weaknesses in computer systems and networks, data and network security remains a higher priority in the government sector. This validation further enables BeyondTrust’s customers with the most secure and dependable remote support solution.

Government agencies (and private sector organizations that support government agencies) can have confidence that BeyondTrust Remote Support has met the rigorous requirements of FIPS 140-2 Level 2. Organizations that deploy the updated BeyondTrust Remote Support FIPS appliance can meet these unique compliance requirements.

“Our FIPS validated encryption is one of several certifications we will be acquiring over the coming months for our newly integrated platform,” said Craig McCullough, Vice President of Public Sector at BeyondTrust. “We are dedicated to our public sector customers, and we will continue to aggressively support their missions by providing the best-in-breed and most comprehensive and secure solutions available.

”In order to obtain the FIPS 140-2 Level 2 validation, BeyondTrust selected Cygnacom Solutions, a one-stop provider of comprehensive U.S. standards-based security testing and evaluation services for IT and cryptographic products. Cygnacom Solutions provides a wide range of consulting services and customized solutions to help clients develop, implement and maintain their information of security programs, policies and strategy.

About FIPS

FIPS 140-2 standard is specific to security requirements for a cryptographic module used within a security system, and is published by the U.S. National Institute of Standards and Technologies (NIST). FIPS 140-2 is recognized by the U.S. and Canadian governments, as well as the European Union. FIPS 140-2 was the main input document for developing ISO/IEC 19790, and is recognized worldwide as an important benchmark for third-party validations of encryption products of all kinds.

About Cygnacom Solutions

Cygnacom Solutions has been providing professional information security services and cryptographic solutions to government and business clients since 1994. With a staff of highly qualified engineers, Cygnacom provides a wide range of consulting services and customized solutions to help clients develop implement and maintain their information security programs, policies and strategy. Through its accredited laboratories, Cygnacom is also a one-stop provider of comprehensive U.S. standards-based security testing and evaluation services for IT and cryptographic products. For more information, visit:

About BeyondTrust:

BeyondTrust is the worldwide leader in Privileged Access Management, offering the most seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access. Our extensible platform empowers organizations to easily scale privilege security as threats evolve across endpoint, server, cloud, DevOps, and network device environments. BeyondTrust unifies the industry’s broadest set of privileged access capabilities with centralized management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat attackers. Our holistic platform stands out for its flexible design that simplifies integrations, enhances user productivity, and maximizes IT and security investments. BeyondTrust gives organizations the visibility and control they need to reduce risk, achieve compliance objectives, and boost operational performance. We are trusted by 20,000 customers, including half of the Fortune 100, and a global partner network. Learn more at

Cygnacom Experts Headline International Cryptographic Module Conference 2019

May 8, 2019
Cygnacom leaders to share exclusive cybersecurity insights in featured presentations, closing remarks at top global cryptography event

MCLEAN, VIRGINIA May 8, 2019 — Cygnacom (, a global vanguard in cybersecurity consulting, will headline the seventh annual International Cryptographic Module Conference (ICMC19), May 14-17 in Vancouver, Canada, delivering two featured presentations, as well as the event’s closing remarks.

Nithya Rachamadugu, Cygnacom Senior Director, will moderate the “FIPS and Common Criteria: Symbiotic Certifications” panel on Friday, May 17 at 1:30 p.m. Rachamadugu, who heads up Cygnacom’s government-accredited FIPS 140-2 and Common Criteria labs, will lead a discussion on the artifacts reuse within the security certifications. Rachamadugu will also deliver the event’s closing remarks, Friday, May 17 at 3 p.m.

Cygnacom Security QA Engineer, Abdullah Abubshait, will present “Certificate Maintenance: 3Sub vs. 5Sub” Wednesday, May 15 at 3:45 p.m. Abubshait will outline the difference between security-related and non-security-related changes, and provide a baseline for determining whether security-related changes require a modified module to be submitted under scenario 5 (full submission) or the less time- and cost-intensive scenario 3 under current IG G8 regulations.

Cygnacom Senior Security QA Engineer, Jonathan Smith, will defend his Crypto Championship for the second year at the Crypto Jeopardy Game show on Thursday, May 16 at 5 p.m.

Attendees can also visit Cygnacom booth #304 in the exhibition hall, where the full roster of Cygnacom experts will be answering certification questions and providing one-on-one cybersecurity consultations. As a featured exhibitor at ICMC19, the Cygnacom booth will be open during designated breaks on Wednesday and Thursday, May 15-16, as well as during the Welcome Reception on Wednesday evening.

“Cygnacom is proud to join more than 500 cryptography leaders from over 25 countries in fostering an organized community focused on advanced global cybersecurity,” said Peter Bello, president of Cygnacom. “We are honored that our experts have been chosen by their peers to share unique insights at ICMC19.”

As the leading annual event for global expertise in commercial cryptography, ICMC19 will address the unique challenges faced by those who develop, produce, test, specify and use cryptographic modules — with a strong focus on standards such as FIPS 140-2, ISO/IEC 19790, and Common Criteria.

New Cygnacom Website Launches Access to More Cybersecurity Expertise

March 12, 2019
Modernized site reflects the firm’s role as a valuable industry resource.

MCLEAN, VIRGINIA March 12, 2019 — Cygnacom (, a vanguard in cybersecurity consulting since 1994, has launched a new content-rich website to provide cybersecurity insights and easy access to its experts. Celebrating 25 years of delivering continuous security assurance for business, government and critical infrastructure, Cygnacom designed a fresh, modern website that reflects its role as a valuable resource to its clients.

“For decades our company has been working to overcome negative perceptions surrounding data security. We want to help our clients see security as a business enabler to accelerate growth—rather than just an overhead cost,” said Peter Bello, president of Cygnacom. “With Cygnacom’s new website, we’re using education and our internal thought leaders to combat fear and coach visitors on the right technologies that protect identities, reputations and businesses.

”Highlights of the new website include timely insights on the industry’s most popular topics such as mobile-derived credentials, blockchain and IoT security. Visitors will also have access to the firm’s experts and will enjoy a completely new user experience.

Cygnacom provides professional and certification services to a wide range of government agencies and businesses. Its clients and partners depend on the firm to implement strong authentication, protect information and identities, test for evolving certification standards and secure other high-value assets.

Cygnacom facilities were among the first to be accredited by the U.S. Department of Commerce, National Voluntary Laboratory Accreditation Program for the National Institute of Standards and Technology (NIST), and the National Information Assurance Partnership (NIAP)’s FIPS 140-2 and Common Criteria (ISO/IEC 15408) certification testing programs.


Articles and Press coverage of Cygnacom

How Cybersecurity Accelerates Business Growth

Posted Oct 21, 2019 by Help Net Security


Stay current on the fast-moving cybersecurity industry with updates and informational materials from Cygnacom.

Information About FIPS 140-3

April 22nd, 2020

The NIST Federal Information Processing Standard (FIPS) 140-3 is an update to FIPS 140-2 guiding the validation of cryptographic modules that was finalized by the U.S. government in March 2020. It is titled “Security Requirements for Cryptographic Modules” and is the third generation of FIPS that will take effect in September of 2020. The Cryptographic Module Validation Program (CMVP) will start accepting validation submissions for FIPS 140-3 in September 2020. FIPS 140-3 will eventually supersede FIPS 140-2, which will be completely phased out a year later in September 2021. However, FIPS 140-2 validation certificates awarded prior to the phase-out date will be valid for five years.

Why is FIPS 140-3 Necessary?

FIPS 140-2 is nearly 20 years old and much has changed in the world of cyber security. Products and technologies have evolved significantly — we now have hardware, software, hybrid and firmware — and need to validate new module forms. FIPS 140-3 provides the vendor information and steps that laboratories need to take to ensure the new requirements are met for securing sensitive but unclassified information. FIPS 140-3 provides minimum standards that industries such as healthcare, legal, utilities and finance must meet to receive validation certificates.

How FIPS 140-2 and FIPS 140-3 Differs

FIPS 140-2 dictates security requirements once a cryptographic module is finalized. The new FIPS 140-3 standard will be more closely aligned with the existing international standard ISO/IEC 19790:2012 (E) and introduces some modifications to its annexes. FIPS 140-3 lays out security requirements that need to be validated during the design, implementation and operational deployment phases of a cryptographic module.

NIST has developed seven documents managing seven areas of change with FIPS 140-3. To meet the changing times, FIPS 140-3 covers the additional areas of software/firmware security, non-invasive security, sensitive security parameter management and life-cycle assurance. The seven documents covered are:

  • Additional evidence and testing required to meet CMVP cryptographic module validation
  • New minimum vendor evidence to include CMPV-specific vendor requirements
  • Updated vendor-generated security policy — including templates to present security information
  • CMVP-approved security functions to use in approved modes of operation
  • CMVP-approved sensitive security parameter generation and establishment methods for approved modes of operation
  • Specifications for the CMVP authentication requirements of cryptographic models
  • Non-invasive physical security requirements for modules that support cryptographic security measures

To learn more about FIPS 140-3 and how the changes will impact your organization, please contact me at

CMVP + CST Lab Annual Meeting: What You Need to Know

July 23, 2019

Cygnacom took part in two major industry events in mid-May: the International Cryptographic Module Conference (ICMC19) and the annual meeting of the Crytographic Module Validation Program (CMVP) and the Cryptographic and Security Testing (CST) Lab management. This year’s CMVP + CST Lab meeting was particularly significant as the program is entering a period of several major transitions. We want to make our vendors aware of what was discussed and the proposed changes that are coming:

Crytopgrahic Algorithm Validation Program (CAVP) Update
Algorithms test volume increases:

The number of algorithms tested each year continues to increase.

Transition to Automated Cryptographic Validation Program (ACVP):

The demo server is up and has all algorithm testing implemented. Vendors and Labs may request test vectors and test against the Demo server.

The ACVP Interim Process started on May 13, 2019:

Algorithms issued under this process (ACVP) will be considered provisional until the validating lab (third-party testers) has been accredited for the new scope.

Charging for ACVP Validation Begins October 1, 2019:

CAVP will begin charging for algorithm validation under both CAVS and ACVP when a new Cooperative Research and Development Agreement (CRADA) between the CST labs and the National Institute of Standards and Technology (NIST) goes into effect. Every algorithm/mode is to be considered a submission and will have an associated charge; refer to ACVP GitHub for a list of algorithms/modes. There are currently 98 algorithms/modes with many algorithms subdivided into multiple modes (e.g. AES could be as many as 13 if all modes, key wrap, etc. were tested).

Composite Application Validation System (CAVS) Phase Out:

CAVS testing is expected to be withdrawn no more than six months after the final National Voluntary Laboratory Accreditation Program (NVLAP) scope for ACVP testing becomes available. Individual vendors (first-party testers) may be accredited to obtain their ACVP certificates. NVLAP is working on the hand book [HB 150-17 Annex G] update to include the accreditation rules for vendors. See for all relevant information.

CMVP Update
263 FIPS 140-2 certificates issued in FY2018:

158 for level 1, 74 for level 2, 30 for level 3, and 1 for level 4. Additionally, 407 revalidations that do not result in a new certificate (like 1SUB, 4SUB, etc.) were also issued.

NIST Fees:

Cost recovery fees will remain the same for FY2020.

NIST Review Times:

Review times were impacted by the government shutdown. To prevent this issue in the future, the NIST CMVP reviewer 2018-2019 is now classified as an excepted employee. This means they can continue performing baseline operations — including keeping the web page up — during any future US government shutdowns.

Special Pub 800-90B – Entropy Assessment:

CMVP published Implementation Guidance (IG) 7.18 Entropy Estimation and Compliance with SP 800-90B on May 7, 2019. This IG now allows modules to submit entropy reports against the January 2018 standard, instead of using the IG 7.15 entropy assessment method.

  • November 7, 2020 is the deadline to submit against the old IG 7.15
  • At this time entropy source validations are not being assigned algorithm validation numbers and there is no automatic reuse of entropy sources. If you do submit an SP 800-90B compliant entropy report under IG 7.18, the module will get “ENT” listed as an approved algorithm, but with no associated algorithm validation number (under IG 7.15 you instead get “NDRNG” listed as a non-approved but allowed algorithm). Each module using a given entropy source will need to separately include the entropy assessment report in the submission to CMVP.
IG 7.14:

is still used to determine whether or not a module even requires an entropy assessment report — be it IG 7.15 or IG 7.18.

Federal Information Processing Standards (FIPS) 140-3

On May 1, 2019, the Federal Register announced that the FIPS 140-3 standard had been signed on March 22, 2019. This three-page document simply says that CMVP adopts ISO/IEC 19790:2012(E), Information technology — Security techniques — Security requirements for cryptographic modules and ISO/IEC 24759:2017(E), Information technology — Security techniques — Test requirements for cryptographic modules as modified by a number of SP 140 series documents that have yet to be written.

  • FIPS 140-3 is effective September 22, 2019
  • Validations using FIPS 140-3 will be accepted starting September 22, 2020
  • FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins
  • We will update you as the SP 140 series document is released for public comment
  • CMVP will call for CMUF working group volunteers for analysis and conversion of present IGs to 140-3
Key Agreement

Draft IG D.8 proposed major impacts to already validated and in-process modules. Per that draft, after January 1, 2021, modules shall only perform key agreement using:

  • An approved SP 800-56B compliant RSA-based key agreement
  • An approved SP 800-56A rev 3 key agreement paired with either SP 800-56C Rev 1 or SP 800-135 Rev 1 key derivation

    NOTE: Though the organization has changed, the cryptography has not. This means that modules compliant to earlier versions of SP 800-56A should already comply with the requirements of Rev 3. However, a 1SUB will likely be required to update that claim in order to remain after the transition.

  • An IG A.2 compliant elliptic curve key agreement scheme.
  • Any modules containing any other key agreement will be moved to the historic validation list after January 1, 2021.
New & Updated IGs – Published
  • IG 7.18 Entropy Estimation and Compliance with SP 800-90B

    18-month transition period until compliance to 90B becomes mandatory

  • IG G.13 Instructions for Validation Information Formatting

    New “ENT” entry for 90B compliant modules

  • IG 7.14 Entropy Caveats

    Added additional comment #5 to address the caveat required when a module generates random strings that are not keys, or generates both strings and keys

    Added additional comment #6 to address the case where two entropy caveats can be applied, but only the stronger caveat is required

  • IG 7.15 Entropy Assessments

    Added a reference to IG 7.18

  • IG G.17 Remote Testing for Software Modules

    Amended language on Cloud Testing

  • IG 1.21 Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI)

    Added two SHA extensions for Intel and AMD processors

  • IG 2.1 Trusted Path

    Updated to allow enforcement of the Trusted Path by applying cryptographic protection

  • IG 9.4 Known Answer Tests for Cryptographic Algorithms

    Added clarity on self test requirements for algorithms that are symmetric that implement multiple modes, CVLs, KBKDF and vendor affirmed

    Also extended KBKDF KAT deadline from May 10 to May 30, 2019 to align with 6 months after the re-publication of IG 9.4 (Nov 30, 2018)

  • IG 9.4 Known Answer Tests for Cryptographic Algorithms

    Added clarity on self test requirements for algorithms that are symmetric that implement multiple modes, CVLs, KBKDF and vendor affirmed

    Also extended KBKDF KAT deadline from May 10 to May 30, 2019 to align with 6 months after the re-publication of IG 9.4 (Nov 30, 2018)

  • IG 9.11 Reducing the Number of Known Answer Tests

    Further explained: when an algorithm can or cannot take advantage of IG 9.11 provisions; and how embedded algorithms fit into IG 9.11. Added effective date of May 10, 2019

  • IG 14.5 Critical Security Parameters for the SP 800-90 DRBGs

    Removed Additional Comment #2 as “full entropy”, in this context, is an unreasonable expectation

New & Updated IGs – Under Review
New IGs
  • IG G.18 Limiting the Use of FIPS 186-2 (this IG will have big impact on OpenSSL FIPS Object Module, which does not conform to FIPS 186-4)
  • IG D.1rev3 – CAVP Requirements for Vendor Affirmation to SP 800-56A Rev3 and the Transition from the Validation to the Earlier Versions of This Standard
Updated IGs
  • IG 9.4 Known Answer Tests for Cryptographic Algorithms

    Added a KAT requirement on symmetric-key forward and inverse cipher functions

    Corrected the authenticated encryption mode hierarchy and clarified how to meet the different symmetric-key algorithm requirements and how they relate to each other

    Clarified when the PCT applies for an asymmetric key generation implementation

  • IG D.8 Key Agreement Methods

    Incorporated SP 800-56Arev3 and the new IG D.1rev3 into this IG

  • IG D.10 Vendor affirmation to SP 800-56C Rev1

    Updated to allow for vendor affirming to SP 800-56Crev1

NOTE: Though the organization has changed, the cryptography has not. This means that modules compliant to earlier versions of SP 800-56A should already comply with the requirements of Rev 3. However, a 1SUB will likely be required to update that claim in order to remain after the transition.

Interested in learning more about Cygnacom’s presentations — or talking with us about the insights, best practices and innovative use cases from ICMC19? Please connect with me at

Consult with our cybersecurity experts.