FedRAMP PMO Adds Clarity to FIPS 140 Requirements

Does a Cloud Service Provider (CSP) need to implement a FIPS-validated multi-factor authentication (MFA) tool prior to a Cloud Service Offering (CSO) achieving FedRAMP Ready or can it be added to the Plan of Action and Milestones (POA&M) and addressed later?

To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST Special Publication (SP) 800-63B, which requires the use of FIPS 140 validated encryption for MFA tools. While agencies may accept risk by allowing a CSP to work through POA&M actions to achieve compliance with NIST SP 800-63B requirements, a Readiness Assessment Report (RAR) has no authorizing official to accept and approve risk for open POA&Ms. A FedRAMP Ready designation indicates to agencies that a cloud service can be authorized without significant risk or delay due to noncompliance. The use of FIPS 140 validated cryptographic modules, where encryption is required, is a federal mandate, as indicated in the RAR template. This applies to MFA tools as well.

The FedRAMP PMO has provided additional resources below that apply to all MFA tools, where required (authenticators and verifiers).

MFA resources:

• On low baseline systems, FIPS 140 validated crypto modules are only required for MFA verifiers, not authenticators.
• On Moderate baseline systems, user-provided (“bring-your-own”) authenticators are exempt from having to meet FIPS 140 requirements, particularly in the government-to-public use case.

FIPS 140 is not an easy prerequisite and with the swiftly changing landscape, it's more important than ever to have a strong partner to handle the issues as they crop up. SafeLogic's team addresses everything on your behalf, from sunset dates and algorithm transitions to operational testing and security patches. If you are a CSP, with or without MFA, don't hesitate to reach out. Let's discuss how you're tackling FIPS 140 and whether you need ongoing assistance from dedicated experts!