An Overview of FIPS 140-2 Encryption and Compliance Requirements
Encryption is considered an essential security technology to protect sensitive data, but the fact is, there is no single standard way to encrypt information. Various encryption schemes use different algorithms to transform clear text information into ciphertext, and they are not equally effective in securing information.
Organizations in the private sector can choose whatever encryption schemes work best for them. The U.S. federal government, however, has set an encryption standard for its non-military agencies. Use of this standard is mandatory for these agencies and is enforced according to the Federal Information Security Management Act (FISMA) of 2002. Contractors and service providers who work with the U.S. government must also follow FIPS.
FIPS (Federal Information Processing Standards) is a set of standards that describe document processing, encryption algorithms and other information technology processes for use within non-military federal government agencies and by government contractors and vendors who work with these agencies. The publications pertaining to these standards (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to FISMA.
The Federal Information Processing Standard 140-2 (FIPS 140-2) is an information technology security accreditation program for validating that the cryptographic modules produced by private sector companies meet well-defined security standards. FIPS PUB 140-2 provides details about the Security Requirements For Cryptographic Modules.
This standard must be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract. The FIPS 140-2 standards prohibit agencies from using unapproved cryptography on sensitive data within the federal government.
What organizations FIPS 140-2 applies to
FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers.
Anyone deploying systems into a U.S. federal SBU environment – and this includes cloud services – are required to comply with FIPS 140-2 certification. In other words, the encryption associated with the computer systems, solutions and services used by federal government agencies must meet the minimum standards specified in FIPS PUB 140-2. This has a huge impact on the IT procurement process, as the only solution vendors that can be considered (without obtaining a variance) are those that have had their products validated as being FIPS 140-2 compliant.
FIPS 140-2 has also become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. This standard is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare, and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance.
What it means for an IT system to be “FIPS 140-2 compliant”
Many types of computer systems incorporate encryption into their design. For example, networking and telecommunication systems often encrypt data they transmit. Point-of-sale devices may contain a chip that encrypts payment data. Some cloud applications encrypt data at rest in their storage systems. It is the cryptographic module – whether it be hardware or software – of such systems that must meet the standards of FIPS 140-2.
There are four Security Levels specified in the FIPS 140-2 standard, and for each level there are 11 different areas related to the design and implementation of a tool’s cryptographic design. The cryptographic module is scored in each area to reflect the relative strengths and weaknesses of each certified tool. The cryptographic module receives a rating that reflects the maximum security level for which the module fulfills all of the requirements of that area.
The importance of using cryptographic modules that are FIPS certified or compliant
FIPS accreditation validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. Once an IT product or solution has attained this accreditation, it can be deployed or operated by U.S. federal agencies and their contractors. Lacking the certification makes it harder for federal staff to deploy the product or solution because they have to take additional steps to demonstrate the system is safe to operate, or limit the deployment to a part of the IT systems that is exempt from having to meet FIPS 140-2 requirements.
Federal agencies are mandated by FISMA to use FIPS 140-2 compliant systems. Agencies that are non-compliant with FISMA regulations and security standards are more likely to have vulnerabilities in their information systems that put SBU data at risk.