Important News:SafeLogic announced PQC Early Adopter Program at RSA Conference 2024 Learn more!

The SafeLogic Blog

FedRAMP PMO Adds Clarity to FIPS 140 Requirements

December 17, 2021 Walt Paley

When the FedRAMP PMO expands their FAQ and spotlights it in their newsletter, you know they must have gotten a lot of queries. In this case, the PMO has addressed FIPS 140 requirements and specifically about Multi-Factor Authentication (MFA). Here is what they added:

To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST Special Publication (SP) 800-63B, which requires the use of FIPS 140 validated encryption for MFA tools. While agencies may accept risk by allowing a CSP to work through POA&M actions to achieve compliance with NIST SP 800-63B requirements, a Readiness Assessment Report (RAR) has no authorizing official to accept and approve risk for open POA&Ms. A FedRAMP Ready designation indicates to agencies that a cloud service can be authorized without significant risk or delay due to noncompliance. The use of FIPS 140 validated cryptographic modules, where encryption is required, is a federal mandate, as indicated in the RAR template. This applies to MFA tools as well.

The FedRAMP PMO has provided additional resources below that apply to all MFA tools, where required (authenticators and verifiers).

MFA resources:

1. The NSA published a paper last year, Selecting Secure Multi-factor Authentication Solutions, addressing popular MFA offerings and their status on meeting NIST requirements; CSPs may find this helpful to assist in identifying FIPS 140 validated MFA solutions. As indicated, this is not a FedRAMP developed document and FedRAMP does not control the currency of the information.

2. There are two notable exceptions to the FIPS 140 requirement for authenticators in SP 800-63. These are:
  • On low baseline systems, FIPS 140 validated crypto modules are only required for MFA verifiers, not authenticators.
  • On Moderate baseline systems, user-provided (“bring-your-own”) authenticators are exempt from having to meet FIPS 140 requirements, particularly in the government-to-public use case.
3. NIST SP 800-63 is a complex set of documents that should be reviewed by any organization implementing MFA for a government system. In addition to the base standards document, NIST provides a FAQ and implementation resources.

FIPS 140 is not an easy prerequisite and with the swiftly changing landscape, it's more important than ever to have a strong partner to handle the issues as they crop up. SafeLogic's team addresses everything on your behalf, from sunset dates and algorithm transitions to operational testing and security patches. If you are a CSP, with or without MFA, don't hesitate to reach out. Let's discuss how you're tackling FIPS 140 and whether you need ongoing assistance from dedicated experts!

Walt Paley

Walt Paley

Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.

Share This:

Back to posts

Popular Posts

Search for posts


See all