The current published version of the NAESB Energy Service Provider Interface does not require implementers to meet FIPS 140-2 encryption requirements.
Furthermore, experience indicates UCAIug ITCA CMD Certification Applicants are not able to provide reliable evidence their computer infrastructures meet the FIPS 140-2 encryption compliance requirement, which is creating a liability issue for the UCAIug ITCA test laboratory without including a full FIPS 140-2 test suite as part of the CMD testing process. Such an inclusion will be cost prohibitive for CMD Certification applicants and would only apply to the infrastructure currently being tested. Any changes to their infrastructure system, would void the issued certification and require a full FIPS 140-2 certification test of their new infrastructure.
Therefore, it is recommended, since the UCAIug ITCA is NOT a recognized NIST FIPS 140-2 testing organization, that the requirement for Data Custodian and Third Party Connect My Data certification applicants meet the NIST FIPS 140-2 encryption certification requirement be removed.