Important News:CryptoComply FIPS 140-3 Early Access Program is now open. Learn more!

Understanding FIPS 140 Requirements for FedRAMP Compliance

FedRAMP FIPS 140 Compliance

FedRAMP Was Created to Accelerate Federal Adoption of Secure, Cost-Effective Cloud-Based IT

The U.S. Federal Risk and Authorization Management Program (FedRAMP) was created in 2011 to provide a standardized approach for assessing, monitoring, and authorizing Cloud computing products and services under the Federal Information Security Management Act (FISMA).

FedRAMP’s stated goal is to enable “agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective Cloud-based IT”.

 In January 2023, the President signed the FedRAMP Authorization Act as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. 

FedRamp act release

FedRAMP Provides Efficiency and Synergy for Government Agencies and Cloud Service Providers

By standardizing the FedRAMP FIPS requirements, disparate agencies can reap the benefits of selecting products from a pool of already-vetted Cloud solutions, accelerating deployment and simplifying the process.

Since FedRAMP’s  standardized security framework is recognized by all executive branch federal agencies, IaaS, PaaS, and SaaS vendors only need to go through the FedRAMP Authorization process once for each of their Cloud Service Offerings (CSOs).

FedRAMP, like so many other U.S. federal technology governance requirements, is tied directly to the frameworks established by the National Institute of Standards and Technology (NIST).

FedRAMP relies on NIST’s Special Publication (SP) 800-53 for best practices in federal information systems and organizations. Adhering to FedRAMP FIPS compliance requirements is crucial. Hence, FedRAMP can be interpreted as “clarifying 800-53 controls for Cloud deployment.”

FedRAMP logo sm

FedRAMP Security is Based on NIST SP 800-53

Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters and guidance above the NIST baseline that address the unique elements of cloud computing.

FedRAMP security controls and enhancements were selected from the NIST SP 800-53 catalog of controls by the FedRAMP Joint Authorization Board (JAB) based on the FedRAMP Program Management Office (PMO) analysis.

The JAB then layered additional guidance and requirements around these controls. The controls were selected to address the unique risks of Cloud computing environments, such as multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.

The FedRAMP security controls, enhancements, parameters, and requirements are arranged in tiers based upon the four FedRAMP Security Controls Baselines – Tailored, known as Low Impact Software as a Service (LI-SaaS), Low, Moderate, and High.

They are organized into seventeen (17) control families and each increasing level adds to the controls required for from the lower security control baseline.

Federal Agencies and their Cloud Service Providers (CSPs) are mandated to implement these security controls, enhancements, parameters, and requirements to satisfy the unique requirements of Cloud computing for the Federal Government.

IaaS, PaaS, and SaaS Providers Must use FIPS Validated Cryptography for Encryption to Obtain their FedRAMP Certification

FedRAMP is designed for federal agency procurement streamlining, so the encryption requirements conform to federal mandates.

There are three (3) critical controls that have been mapped from NIST 800-53 that are required at every FedRAMP baseline and in which encryption is addressed:

  • IA-7 Cryptographic Module Authentication
  • SC-12 Cryptographic Key Establishment and Management
  • SC-13 Cryptographic Protection

NIST security controls across all their publications always reference the NIST standards written for cryptography – Federal Information Processing Standard 140, now in the process of transitioning from its second revision, FIPS 140-2, to its third, FIPS 140-3.

This states that in all cases, if encryption is employed as a mechanism to meet a security requirement, it must be FIPS 140 validated under the Cryptographic Module Validation Program (CMVP).

You can never go wrong with FIPS 140-2 validated encryption in federal government deployments or when satisfying NIST requirements.

Marketplace2

 

Learn More about FedRAMP Requirements for Validated Cryptographic Modules

SafeLogic's FIPS Validation-as-a-Services Meets FedRAMP Requirements

 

Getting your own cryptography software reviewed, tested, validated, and certified by NIST can take as long as two years, not counting the time required to develop the software.  SafeLogic literally cuts the time required to achieve NIST certification from two years to two months, then keeps your certification active over time with these three key capabilities.

 

CryptoComply White
CryptoComply White

CryptoComplyTM

CryptoComply is SafeLogic’s flagship software, a family of FIPS 140 validated cryptographic software modules. They deliver “Drop-in Compliance” as direct replacements for popular open-source crypto providers.

RapidCert White
RapidCert White

RapidCertTM

SafeLogic revolutionized the FIPS industry twelve years ago with RapidCert, the industry's first expedited rebranding program. Get a FIPS certification in your name in only two months with RapidCert.

MaintainCert White
MaintainCert White

MaintainCertTM

Now SafeLogic is revolutionizing FIPS again with MaintainCert. FIPS certificates go ‘historical’, meaning they are no longer valid, all the time. Not with MaintainCert, SafeLogic’s new white-glove support service.

Want to learn more about how SafeLogic can help with your FedRAMP effort? Speak with one of our FIPS experts!