[linuxguy2]

Oooo for once, my time to shine! Or maybe, my time to shine???

> Is it typically expected of entry-level engineers, senior engineers, principals, tech leads, and/or project managers?

Working at a company that provides FedRAMP-approved services, the knowledge of FIPS within the company is a bit sparse. InfoSec definitely needed to understand it in order to explain to developers that they have to use BouncyCastle over the default java crypto provider, etc, but it took someone else to _really_ understand it and tell InfoSec that they were initially asking for the wrong thing.

Entry-level? No. Senior? At least minimal understanding of how cryptography works in their language of choice and the impact of FIPS. Principal? Same Tech leads? Not a well-defined role. Probably. Project managers? No.

> Have you ever needed to immerse yourself in a FIPS or ISO standard?

Yes. Multiple times. I argue with third-party auditors and the FedRAMP Joint Advisory Board about interpretation of these standards.

> Was it out of necessity for a project (just-in-time learning), or do some of you explore these standards in your spare time?

Necessity. See FedRAMP. However I can say ISO8601 was just for fun. ISO8601 gang represent!

> These standards are complex and mastering them is no small feat. It's interesting that people don't often brag about this expertise on their resumes.

I've seen a couple people who listed those standards or similar (FedRAMP again). Given the choice between two identical candidates while one has FedRAMP/FIPS/ISO experience I'll pick the one listing the standards.

> Have you ever listed such standards as part of your skill set? Why or why not?

I've not updated my resume since acquiring skills in the relevant standards but will probably include them when I do update my resume. They're a specialization that commands a premium when it comes to salary, if you're willing to work in the industries / companies that play in that space. Some people wouldn't include it because they truly hate working with rigorous standards.

> How has your understanding of these standards impacted your career or projects?

Understanding them has certainly proved to be a benefit to my career given how closely I work with them.

[anitil]

Great reply. I have some follow-on questions -

Would you market yourself as an expert on these in a job search or as a developer etc, with additional expertise? Is this an area where companies typically need people full-time, or is it better suited to short term contracts?

[er4hn]

As someone with experience in this myself: It depends on where you want to be in the foodchain.

This comes up with companies that need to meet these standards to sell to someone in the Federal space (or someone who is selling to someone in the Federal space). They need to certify their products and maintain some level of certification.

You can be a consultant who helps companies get their products through an initial certification. You can be a full time employee who executes on designs and makes sure that no invariants get violated (which, after certification, would be a small amount of normal maintenance duties). Or you can work for a certification lab, since all of this is outsourced to a cottage industry of private companies!

[linuxguy2]

This is pretty spot-on.