February 17, 2020

Understanding FIPS

Written by Tyler Moore

An introduction to the Federal Information Processing Standards

A steady cadence of attacks has made security a priority for governments and companies wishing to work with the federal government must now comply with federally mandated security standards. At RStor we take security to heart and will examine data security related topics in a series of posts. In this post we will take a closer look at one of the standards used not only in the US federal government, but also in the financial services industry, and other sectors.

FIPS (Federal Information Processing Standards) is a set of standards that describe document processing, encryption algorithms and other information technology processes for use within non-military federal government agencies and by the government contractors and vendors who work with these agencies. The US federal government, specifically the National Institute of Standards and Technology (NIST),  publishes documents describing FIPS.  FIPS publications pertaining to these standards may be found online (FIPS PUBS).

Whenever companies are designing and implementing cryptographic modules that a federal department or agency operates or is operated for them under contract, FIPS must be used. The FIPS 140-2 standards prohibit agencies from using unapproved cryptography on sensitive data within the federal government. Any contractor or service provider who works with the U.S. government must also follow FIPS.

The Federal Information Processing Standard 140-2 (FIPS 140-2) is an information technology security accreditation program for validating that the cryptographic modules produced by private sector companies meet well-defined security standards. To learn more, read FIPS PUB 140-2 Security Requirements For Cryptographic Modules.

What is FIPS 140-2 Encryption?

The U.S. federal government has set an encryption standard for its non-military agencies. Use of this standard is mandatory for these agencies and is enforced according to the Federal Information Security Management Act  (FISMA) of 2002.

Who must be FIPS 140-2 compliant?

FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers.

Anyone deploying systems into a U.S. federal SBU environment, including cloud services, are required to comply with FIPS 140-2 certification. All encryption associated with the computer systems, solutions and services used by federal government agencies must meet the standards specified in FIPS PUB 140-2. Only products validated as being FIPS 140-2 compliant may be considered for use.

FIPS 140-2 is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare, and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance. FIPS is also recognized as an important security standard outside the United States.

How can an IT system become “FIPS 140-2 compliant”?

The cryptographic module, whether it be hardware or software, of a computer system must meet the standards of FIPS 140-2.

There are 4 Security Levels specified in the FIPS 140-2 standard, and for each level there are 11 different areas related to the design and implementation of a tool’s cryptographic design. Each cryptographic module receives a rating that reflects the maximum-security level for which the module fulfills all of the requirements of that area.

FIPS accreditation simply validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. Once an IT product or solution has attained this accreditation, it can be deployed or operated by U.S. federal agencies and their contractors. Lacking the certification makes it harder for federal staff to deploy the product or solution because they have to take additional steps to either demonstrate that the system is safe to operate or limit the deployment of the solution to a part of the IT systems that is exempt from having to meet FIPS 140-2 requirements. All federal agencies are mandated by FISMA to use FIPS 140-2 compliant systems.

Visit RStor again for more information on data storage and data compliance topics.

You may also like…