Let's Talk Strategy!

FIPS 140
What It Is

FIPS 140 is the benchmark established by NIST (the U.S. National Institute of Standards and Technology) to standardize and certify a minimum level of cryptography for deployment in the U.S. federal government. Without this validation, encryption modules are considered to be of unknown quality and placed in the same category as plaintext. Essentially, when FIPS 140 validation is required, it is binary - either the certification has been achieved or it has not. If the encryption module has not been tested and proven to meet the minimums, it is treated like it doesn’t exist at all. Because government systems rely so heavily on cryptography for data protection and FIPS 140 validated encryption is used in all Sensitive But Unclassified (SBU) federal operating environments, there is a lot riding on the enforcement of these standards.

NIST and their Canadian counterpart CSE (Communications Security Establishment) teamed up in 1995 to establish the mechanisms for testing and certifying that the FIPS 140 benchmark had been met. The CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program) are dedicated departments, staffed by NIST and CSE employees, focused on FIPS 140 by cooperating with independent, licensed third party testing labs. While the labs conduct functional testing, they package and submit all the paperwork and it is the CMVP that ultimately reviews the results and issues the FIPS 140 validation.

FIPS 140 has become well known as a building block certification, leveraged as a prerequisite by many technology approval programs for government and regulated industries like finance, healthcare, legal, and utilities. This was as intended by NIST. As a clearinghouse for the public and private sectors, NIST publications are highly influential. For example, SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, underpins the FedRAMP authorization, while SP 800-171, Assessing Security Requirements for Controlled Unclassified Information, is the basis for the CMMC (Cybersecurity Maturity Model Certification) program. FISMA, DoDIN APL, Common Criteria, HIPAA and HITECH healthcare regulations all follow suit, specifying the dependency on FIPS 140 validation for any cryptography deployed within the solution.

Shield-1

DISAMBIGUATING CLAIMS

You may have heard “FIPS Compliant” or “FIPS Ready” or other terminology, particularly in competitors’ marketing. These are not the same as being validated, and are used to confuse customers and undermine the distinction. When a module has been validated to meet FIPS 140, NIST issues a validation certificate publicly on their website. It includes the vendor name and contact information, as well as technical data on the module. Without this affirmation from NIST, the standard has not been met, even if the same cryptographic algorithms are used. The module must be tested in its entirety.

COMMON AREAS OF CONFUSION

There are four available levels in the FIPS 140 program and many folks confuse the “dash two” and “dash three” designations as an indication of a Level 2 or Level 3 validation. To be accurate, FIPS 140-2 is simply the second iteration (hence the -2 suffix) of the encryption benchmark. It was adopted in 2001 and is currently transitioning to the next version, FIPS 140-3. The latter began official testing in September of 2020, kicking off a full calendar year of parallel availability before the final 140-2 test reports are filed in September 2021.

Calendar

The other major common misconception surrounding the four levels is that they are a linear progression. Instead, it is treated as a more finite target – either the cryptographic module has been validated and certified to meet the applicable level of the FIPS 140 standard, or it hasn’t been. Each level represents different requirements for various types of technology, not a gradient. Modules do not receive A+ or B- grades, they simply get a thumbs up or a thumbs down for their validation level. For example, software modules are typically validated for Level 1 since there are no physical characteristics to test, but hardware often comes in at Level 3, including tamper evidence and other features. Level 4 is hardly ever seen, as it creates the need for additional expensive hardware and sacrifices longevity of the validation while it is rare to be stipulated in a procurement contract.

FIPS 140-2 imposed requirements in 11 different areas:

  • Cryptographic Key Management
  • Cryptographic Module Ports and Interfaces
  • Cryptographic Module Specification
  • Design Assurance
  • EMI/EMC
  • Finite State Model
  • Mitigation of Other Attacks
  • Operational Environment
  • Physical Security
  • Roles, Services, and Authentication
  • Self-tests

While the new FIPS 140-3 standard features 12 categories of requirements:

  • General
  • Cryptographic Module Specification
  • Cryptographic Module Interfaces
  • Roles, Services, and Authentication
  • Software/Firmware Security
  • Operational Environment
  • Physical Security
  • Non-Invasive Security
  • Sensitive Security Parameter Management
  • Self-Tests
  • Life-Cycle Assurance
  • Mitigation of Other Attacks

Each is assessed depending on the targeted validation level and documented accordingly.

The effort is significant and traditionally took more than 16 months to complete.

TIME TO BRING IN THE EXPERTISE

The stakes are high and the program is nuanced, so it’s extremely important to partner with an expert that can simplify this effort.

SafeLogic has disrupted this sector with a productized solution that has been selected by many vendors for its accelerated timeline, reduced complexity, cost savings, and ease of offloading the project.

Learn How We Disrupt!