What is FIPS 140 and What Does it Mean to Be “FIPS Compliant”?

Originally published by Titaniam.

FIPS was developed by the Computer Security Division of the National Institute of Standards and Technology (NIST). It established a data security and computer system standard that businesses must follow in accordance with the Federal Information Security Management Act of 2002. (FISMA). Federal government organizations in the United States are required by FISMA to minimize information technology risk to an acceptable level at a fair cost.

The Federal Information Security Modernization Act of 2014 (FISMA2014), which replaced FISMA in 2014, changed several of its original provisions to reflect the evolving nature of cybersecurity requirements and the need for supervision.

To be FIPS compliant (FIPS), organizations must follow the different data security and computer system standards described in the Federal Information Processing Standards.

A U.S. government agency or contractor’s computer systems must satisfy the criteria listed in the FIPS publications with the numbers FIPS 140, FIPS 180, FIPS 186, FIPS 197, FIPS 198, FIPS 199, FIPS 200, FIPS 201, and FIPS 202 to be considered FIPS compliant. In this blog, we will be focusing on FIPS 140.

“Security Requirements for Cryptographic Modules” according to FIPS 140

When creating, putting into use, and running cryptographic modules, the FIPS 140 standard is followed. The combination of hardware, software, and/or firmware known as a cryptographic module implements security features such as algorithm execution and key creation. The techniques for validating and testing the modules are also outlined in the standard.

The security standards cover cryptographic module interfaces, software and firmware security, operating environment, physical security, security parameter management, self-tests, attack mitigation, roles, services, and authentication. The cryptographic modules used by federal departments and agencies must pass testing to ensure they meet these requirements before they may be used.

FIPS Compliance Levels

“Level 1” through “Level 4” are the four security levels that are specified by FIPS 140-2. The levels rise, but they don’t always grow on top of one another. Additional testing is performed on a higher level for the level’s use case.

FIPS Level 1 is the first level of strong security certified by the FIPS standard. This level has fundamental security requirements for the cryptography module and the algorithms contained therein. Beyond the fundamental necessity for production-grade components, a Security Level 1 cryptographic module does not include any additional physical security features. PC encryption boards are an illustration of a Security Level 1 cryptographic module.

FIPS Security Level 2 requires additional physical security mechanisms on top of the Security Level 1 cryptographic module by mandating elements that demonstrate tampering, such as tamper-evident coatings or seals that must be broken to gain physical access to cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to prevent unauthorized physical access.

FIPS Security Level 3 makes an effort to stop intruders from accessing CSPs stored within the cryptographic module in addition to the tamper-evident physical security measures necessary at Security Level 2. At Security Level 3, physical security procedures are necessary. These mechanisms are designed to be very likely to detect and react to attempts at physical access, use, or modification of the cryptographic module. Strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened are two examples of physical security measures that could be used.

FIPS Security Level 4 offers a maximum level of security. To this degree, the physical security mechanisms surround the cryptographic module completely, serving as a barrier to prevent any illegal attempts at physical access from being made. There is a very high likelihood that any attempt to breach the enclosure of the cryptographic module will be identified, in which case all CSPs that include plaintext will be deleted immediately.

Cryptographic modules with Security Level 4 are helpful for use in areas without physical protection. A cryptographic module is shielded by Security Level 4 from security breaches brought on by external factors or variations outside the module’s typical working limits for voltage and temperature. Attackers may utilize deliberate deviations from the regular operating ranges to get around a cryptographic module’s defenses. For a reasonable assurance that the module won’t be impacted by fluctuations outside of the normal operating range in a way that can jeopardize the module’s security, a cryptographic module must either undergo rigorous environmental failure testing or include special environmental protection features designed to detect fluctuations and delete CSPs.

Utilizing FIPS 140 Validated Solutions to Secure Enterprise Data

Enterprises store, transact, and analyze large volumes of data and have an obligation to keep this data secure and private at all times. Enterprise data can exist in three states (at-rest, on-transit, and in-use) during its lifecycle and as it journeys through the enterprise and its network of suppliers and partners. Data at-rest and in-use can greatly benefit from the use of FIPS 140-2 validated encryption.

Securing Data-at-Rest: Applying FIPS 140-2 validated encryption to data-at-rest i.e that is stored and not in active use, ensures that unauthorized entities cannot read the data even if they have access to the data files. The use of FIPS 140-2 validated encryption guarantees the strength of the underlying algorithms.

Securing Data-in-Use: Although data-in-use encryption is a relatively new area, we now have techniques that can keep valuable data encrypted even when it is actively being utilized by databases and applications. Depending on the specific encryption-in-use methodology, this can be secured using FIPS 140-2 validated encryption.

Specific areas where FIPS 140-2 validated encryption can be used to secure enterprise data are: data-at-rest for all types of databases, repositories, both structured and unstructured; for FIPS 140-2 validated data-in-use encryption (encryption-in-use).

Many of these platforms such Enterprise Search platforms like Elasticsearch and OpenSearch must index and persist large amounts of clear text data for searches and analytics. These platforms are ideal prey for data-hungry ransomware and extortion criminals, who either hunt for improperly configured clusters or steal admin credentials. Similarly, misconfigured or commonly accessible AWS S3 buckets are another major source of data compromise.

The Importance of Being FIPS Compliant

All users should be informed of the value of security awareness and the necessity of making information security a management priority. Organizations should identify their information resources and assess the sensitivity to and potential impact of losses because information security needs vary from application to application. The selection of available controls, such as administrative policies and procedures, environmental and physical controls, information and data controls, software development and acquisition controls, and backup and contingency planning, should be based on probable risks.