Can Your Garage Be Classified As Critical Infrastructure?


Did you know that, if you are working with the GSA in the not too distant future, the authentication of the software/hardware you use has to be FIPS 140-2 compliant?  If you or someone on your team is not familiar with this and other standards, it could impact your work—even if you are not doing anything directly for a government agency.


The FIPS 140-2 standard was developed by National Institute of Standards and Technology (NIST) to coordinate the requirements and standards for cryptography modules that include both hardware and software components. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4.” It does not specify in detail what level of security is required by any particular application, and it includes the software, hardware, and physical layer.


If your team does not include an IT person that is familiar with this and other standards, it could impede your ability to participate in bidding for GSA work.  Even if you are not doing work directly for a government agency, you could be left out in the cold.



A speaker at an event I recently attended gave two great examples:

  • Let’s say you are an independent engineer and have built an office in your garage.  You are contracted to design a machine for a company that builds equipment that produces widgets. This company then sells their equipment to another company to produce widgets for Lockheed Martin.  You are in the supplier chain and can be considered critical infrastructure.  When and if the government enforces the cybersecurity law recently passed and audits Lockheed Martin and their supplier chain,  the government can impose a speedy compliance, and you would no longer be able to supply the company you were designing for.
  • Suppose you are a designer of something that is used in a government-deemed critical infrastructure entity—such as a bank, hospital or electricity supplier.  You get hacked, and the hackers use the information they got from you to attack the entity that you designed for. Ignorance is never a defense in a matter such as this.  What would the cost to you be?


Knowledge and experience can seem like big expenses, but the cost of lack of knowledge and lack experience can bankrupt you.


Have a question for our experts? Leave your comment below or contact our experts directly at


About Fred Gordy


Email Address:

Fred Gordy is the operational technology manager for the McKenney's Enterprise Intelligence Group and is responsible for the technology strategy for the Automation & Control Solutions team. Fred has focused on control system cybersecurity for the past few years and has built a network of cybersecurity professionals to grow knowledge for the control system at large. He is also the current chair for InsideIQ's cybersecurity committee. Fred's portfolio includes projects with Chevron Energy Services at Eglin Air Force Base to reduce operating expense through real-time analysis as well as developing secure power monitoring systems for a national IDC, a national retail chain, and an international media company.

Leave a Reply

Your email address will not be published. Required fields are marked *