We have a client who is about to undergo a Criminal Justice Information Systems (CJIS) audit. One key requirement of the audit will be that Kaseya agents and RMM must be FIPS 140-2 compliant. In 2012 Kaseya received FIPS compliance, but any compliance older than 5 years is no longer valid. I opened ticket (358092) with Kaseya to ask when they are going to become compliant again and received the following response: "Unfortunately, at present we are not planning to renew the FIPS certificate."
Needless to say, this is very disappointing. If we wish to retain this client, we will not be able to use Kaseya. Is anyone else encountering this issue?
Not being content with the answer we received from tech support, we also reached out to Kaseya senior management. We almost immediately received email replies and phone calls from management, which was welcome and appropriate to the issue.
In his email reply, C.J. WImley (Kaseya President and Chief Customer Officer) says ".... It seems this message out to our end user has been distorted...". By phone we are given to understand that Kaseya is in fact pursuing (re-) certification for FIPS 140-2.
After Kaseya Connect (understandably commanding senior management attention), we expect to receive a written communication with more details that will be used in the audit.
Hello. We have ran into the exact same scenario. TechSupport responded to use saying it had lapsed, we haven't received a response from anyone else in Kaseya after several emails to our sales guy.
This is going to be a large problem for us if Kaseya isn't re-certifying. We have 100+ agents that need this.
Based on a conversation with Mike Puglia (if memory serves me correctly) a year or two ago, the following were the take-aways. Hopefully all is correct. I documented it after our conversation.
Based on code changes. Every time the code changes, re-certification is required
There are 7 certification labs. The process can take ~6 weeks. Cost is $150,000.00 per certification.
Issue with paperwork delay time in practice
Kaseya went through certification one time
Based on software version. Kaseya was certified on 6.2 or 6.3.
Every time the version changes a re-certification is required. $100,000.00 per re-certification
Agent: AES, encryption method certified for FIPS, audit, procedures, etc.
Endpoint: For Live Connect, Kaseya Remote Control, real time signaling, NOT FIPS, Uses TLS 1.2 with 256 bit cipher. Uses a certificate