What is the Cybersecurity Maturity Model Certification (CMMC) 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a significant initiative by the Department of Defense (DoD) aimed at fortifying the defense industrial base (DIB) against sophisticated and frequent cyber threats. The DoD recently introduced an updated version of the original Cybersecurity Maturity Model Certification, known as CMMC 2.0. This version consists of three levels instead of five in order to simplify the process and reduce the burden on small and medium-sized businesses that may have struggles to meet the requirements of the higher levels in the previous model.

Who is subject to CMMC 2.0?

All prime- and sub-contractors of the DoD who intend to bid on future contracts containing the CMMC DFARS clause will need to secure a CMMC certification from a certified third-party assessment organization (C3PAO) before the contract is awarded. Any contractor who accesses, processes, or stores Federal Contract Information (FCI) will at least require a Level 1 CMMC 2.0 Certification. If a contractor accesses, processes or stores Controlled Unclassified Information (CUI), they will be required to undergo a third-party assessment to obtain a Level 2 or Level 3 CMMC 2.0 Certification.

What is the relationship between CMMC 2.0 and FIPS 140?

The Cybersecurity Maturity Model Certification (CMMC) and the Federal Information Processing Standards (FIPS 140) have a distinct but interconnected relationship in strengthening cybersecurity infrastructure. FIPS 140 sets the benchmark for cryptographic modules intending to protect sensitive information. Integral to the realization or CMMC goals, it requires that cryptography modules be tested by third-party labs and certified by NIST as meeting government standards for encryption. To fulfill CMMC Level 2 or Level 3 requirements, organizations must use encryption methods that are FIPS 140 validated.

How are companies seeking CMMC getting tripped up by FIPS 140 validation?

FIPS 140 used to be required only for technology companies that sold their software to the federal government. With CMMC, the FIPS 140 requirement applies to every member of the DIB that handle CUI. Any system that performs encryption and touches CUI must use FIPS validated cryptography. Traditional FIPS 140 validations can take as long as two years.

How does SafeLogic overcome the FIPS 140 problem for the CMMC ecosystem?

SafeLogic offers FIPS 140 Validation-as-a-Service, guaranteeing your company a FIPS 140 certificate in your own name in just two months, whereas traditional validation can take up to two years. SafeLogic ensures your FIPS 140 certification remains 'active' in spite of changing requirements. When a technology vendor obtains FIPS 140 Validation for a product, they can sell that product to federal agencies and companies in the Defense Industrial Base that are pursuing CMMC contracts.

OpenSSL 3.x, TLS 1.3 and FIPS 140

Many Organizations Are Moving to OpenSSL 3 and TLS 1.3

OpenSSL is a widely used cryptographic library. OpenSSL 3 is the latest generation of the open-source software. Many organizations want to implement OpenSSL 3 because it incorporates the newest architecture, latest APIs, 2x faster connection speeds, the most recent security bug fixes, and support for the latest generation of encryption algorithms.

OpenSSL 3 includes support for Transport Level Security (TLS) 1.3, the latest version of the protocol. TLS 1.3 incorporates many improvements over previous versions, such as stronger encryption, faster time-to-key exchange that allows connections to be established more quickly than before, and support for modern transport protocols like QUIC that work well with mobile devices and other hardware without slowing down performance or increasing latency.

Given the security improvements in OpenSSL 3 and TLS 1.3, some security regulations are now mandating their adoption.

But FIPS 140 Certification is Still a Requirement

NIST CMVP Page

FIPS 140 validation is required for products containing cryptography to be used by government agencies. It is also required by security regulations, including FedRAMP, StateRAMP, Common Criteria, CyberSecurity Maturity Model Security (CMMC) 2.0, DoDIN APL, and CNSA 2.0, among others.

As NIST transitions from FIPS 140-2 to 140-3, they have a huge backlog of modules in the certification process. But NIST is no longer certifying new modules against 140-2. As a result, organizations seeking to use the new OpenSSL 3 APIs and/or TLS 1.3 with a FIPS-validated cryptographic module have limited options.

To make matters even more challenging, some of the same security frameworks that mandate FIPS 140 are also now mandating the use of OpenSSL 3 and or TLS 1.3.

CryptoComply Now Has an OpenSSL 3 + TLS 1.3 + FIPS Validated Cryptography Option

CryptoComply OpenSSL 3 FIPS Provider allows organizations to implement OpenSSL 3 and TLS 1.3 with a FIPS-validated cryptographic module.

For existing CryptoComply customers, the new software is available as an optional upgrade. To use it, they will need to migrate to the OpenSSL 3 architecture and then use CryptoComply OpenSSL 3 FIPS Provider as a drop-in replacement. CryptoComply customers can use this provider with their existing FIPS 140-2 certificate.

For companies that are not CryptoComply for Server (CCS) customers yet want to use OpenSSL 3 / TLS 1.3 with a FIPS-validated module, CryptoComply OpenSSL 3 FIPS Provider is also a good option. With SafeLogic’s RapidCert program, companies can obtain a FIPS-validated encryption module and a listing on the NIST FIPS 140 certification website in as little as two months. Furthermore, their FIPS-validated encryption module will work with OpenSSL 3 and TLS 1.3.

CryptoComply OpenSSL 3 FIPS Provider Now Works on Apple iOS Devices

SafeLogic is excited to announce the launch of its CryptoComply OpenSSL 3 FIPS Provider for iOS Early Access Program (EAP). With this EAP, SafeLogic is making a FIPS 140 validated cryptographic module for IOS devices, compatible with the OpenSSL 3.0 architecture, available for testing. As a result, iOS applications can now use important features in OpenSSL 3.0, such as TLS 1.3, while meeting strict government requirements for strong cryptography with a FIPS 140 validated cryptographic module.

CryptoComply OpenSSL 3 FIPS Provider

FIPS 140 Validated Cryptography for OpenSSL 3.x + TLS 1.3

Many Organizations Are Moving to OpenSSL 3 and TLS 1.3

But FIPS 140 Certification is Still a Requirement

CryptoComply Now Has an OpenSSL 3 + TLS 1.3 + FIPS Validated Cryptography Option

CryptoComply OpenSSL 3 FIPS Provider Now Works on Apple iOS Devices

Want to know more about how SafeLogic can help with your OpenSSL 3 / TLS 1.3 strategy? Speak with one of our FIPS 140 experts!