If you work in IT for a regulated industry, security is one of your top priorities. Especially when working for the government, healthcare or finance, it is extremely important that products and services adhere to government-approved security requirements to ensure that private and sensitive data is protected.
The Federal Information Processing Standards (FIPS) are the most commonly known security rule sets that cryptography in products must adhere to, but what exactly are they and why are they important to understand?
What is FIPS?
FIPS is a set of rules that outline the basic security needs of cryptographic modules used in computer and telecommunication systems. These rules, or standards, are mandatory for non-military, government-run vendors, as well as healthcare and finance businesses that utilize cryptographic modules to protect sensitive data. A cryptographic module, according to entrust.com, is “any combination of hardware, firmware, or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques and random number generation.”
The publications and documents associated with FIPS are issued by the National Institute of Standards and Technology (NIST), which is basically a huge federal agency within the US Department of Commerce that provides standards for industries, predominantly other government agencies. Their most recent publication of FIPS is known as FIPS 140-2, which like the previous version (FIPS 140-1), has four “security levels” of validation that go in increasing strength, with level 1 having the most basic security necessities and level 4 having the most rigorous standards.
A particular level requires that the previous levels also be met, but not every product must reach level 4. For example, level 1 provides the most basic security with practically no physical requirements, such as a personal computer encryption board, which is a validated Security 1 cryptographic module. In order for a PC to be Security 2 validated, it would need to comply with all the standards outlined in level 1 and additionally meet role-based authentication requirements to account for tamper-evidence required in level 2.
Certain levels are only appropriate for certain products or solutions. It isn’t necessary to validate every product under Security 4, like a PC for example. Getting your software or hardware validated, however, is not a short or straightforward process. It’s not as simple as abiding by the rulebook and proclaiming to follow FIPS (although this is basically what it means to be FIPS compliant, but I’ll talk about that later). Procuring FIPS 140-2 validation requires an intensive review and testing process that comes from a legitimate source. It’s long and complex, but here’s the gist.
How Does a Vendor Become FIPS 140-2 Validated?
In short, FIPS 140-2 Validated means that a product has been reviewed, tested, and approved by an accredited (NIST approved) testing lab. “A product or implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates.” That’s right, if you want a product to be 100% approved and validated, it has to undergo the entire process through the Cryptographic Module Validation Program (CMVP) where it comes out pretty and stamped with official validation. This process varies greatly in cost and time, but here’s a simple rundown of the steps:
- Figure out what needs to be validated. Identify the “cryptographic boundary”. In other words, figure out what needs to be tested and approved. To be validated, any aspect of cryptoraphy in the product must be tested and approved by one of the NIST accredited testing labs. There are over a dozen labs to choose from. The cost of validation will depend on how complex the product is.
- Make sure you are compliant--as I said before, being compliant does not mean a product that contains cryptographic modules is validated. Being FIPS compliant means only certain aspects of a product has been tested and approved. That means there could be possible gaps in the security of the product. If the entire product has not been tested and approved as FIPS validated, that means the product is only FIPS compliant.
- All products must submit a Security Policy that outlines what the module is and how it complies with FIPS. There are documentation requirements in 11 different areas such as ports, interfaces, and authorization; and they all must be addressed.
- Last but not least, the product must send it off to an accredited Cryptographic Module Testing (CMT) lab to be reviewed and tested. If there is something wrong in any of those processes, the module is sent back and will need to be changed. This step has 5 substeps in itself, and can take up 16 months to finalize.
But What’s the Difference between FIPS Validated and FIPS Compliant?
I’ve mentioned the word “validation” or “certification” a couple of times, but you might have also heard the word “compliant” in association with FIPS. What does compliance have to do with all this? Although the two words sound like they should go hand in hand, there is in fact an important distinction between them when it comes to FIPS.
It doesn’t take too much to be FIPS compliant. In fact, all it really takes is the word of the company or vendor that says their product is compliant with FIPS. The vendor can go one step further and receive FIPS validation certificates and may incorporate a 3rd party’s validated solution, but unless it’s gone through rigorous testing and approval, the module is not FIPS validated.
Another instance where FIPS compliance is used is when a product is partially FIPS validated. This means that certain components of the module have been tested, but the product itself is not wholly validated. This is an important distinction because if not every aspect of the product's crytography has been tested and validated, there is always the possibility of a vulnerability. It is far better to be FIPS validated than FIPS compliant.
How Can I See is a Product is FIPS Validated?
All validated modules are on the NIST site. You can run a basic or advanced search or just search the vendor of the product you’re using. A list will pop up with the certificate number, vendor name, module name, module type, and the validation date. For more information such as the validation level or the lab it was tested in, click the certification number. For a detailed understanding of a FIPS validation listing, check out this page. If you can’t find anything on the NIST page, it’s probably because the product you’re using is using another product that is validated. In this case, you need to find specified certification numbers, which are usually available on the vendor website.
Why Should I Care?
If your product is being sold to a US government agency or to an organization that is linked to the government, it must be FIPS 140-2 validated, but FIPS validation/compliance has become extremely common in private sectors as well. The same goes for any product that handles sensitive data in healthcare and finance.
Companies that provide technology products or use secure software to provide a service, such as healthcare and financial firms, make a point to have their modules validated or purchase products that are validated because it shows a commitment to basic security needs. Obtaining validation exemplifies that a vendor takes security seriously and can assure customers that they abide by the security standards issued by the US and Canadian governments.