If you work in IT for a regulated industry, security is one of your top priorities. Especially when working for the government, healthcare or finance, it is extremely important that products and services adhere to government-approved security requirements to ensure that private and sensitive data is protected.
The Federal Information Processing Standards (FIPS) are the most commonly known security rule sets that cryptography in products must adhere to, but what exactly are they and why are they important to understand?
FIPS is a set of rules that outline the basic security needs of cryptographic modules used in computer and telecommunication systems. Compliance with these rules is mandatory for non-military, government-run vendors, as well as healthcare and finance businesses that utilize cryptographic modules to protect sensitive data. A cryptographic module, according to entrust.com, is “any combination of hardware, firmware, or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques and random number generation.”
The publications and documents associated with FIPS are issued by the National Institute of Standards and Technology (NIST), which is basically a huge federal agency within the US Department of Commerce that provides standards for industries, predominantly other government agencies. Their most recent publication of FIPS is known as FIPS 140-2, which like the previous version (FIPS 140-1), has four “security levels” of validation that go in increasing strength, with level 1 having the most basic security necessities and level 4 having the most rigorous standards.
A particular level requires that the previous levels also be met, but not every product must reach FIPS Level 4. For example, Level 1 provides the most basic security with practically no physical requirements, such as a personal computer encryption board, which is a validated Security 1 cryptographic module. In order for a PC to be Security 2 validated, it would need to comply with all the standards outlined in level 1 and additionally meet role-based authentication requirements to account for tamper-evidence required in FIPS Level 2.
Certain levels are only appropriate for certain products or solutions. It isn’t necessary to validate every product under Security 4, like a PC for example. Getting your software or hardware validated, however, is not a short or straightforward process. It’s not as simple as abiding by the rulebook and proclaiming to follow FIPS (although this is basically what it means to be FIPS compliant, but I’ll talk about that later). Procuring FIPS 140-2 validation requires an intensive review and testing process that comes from a legitimate source. It’s long and complex, but here’s the gist.
As video surveillance and security technology become more advanced, companies are relying more on cloud services, big data and AI analytics. This means there is an increasing amount of sensitive data like PII (personally identifiable information) being collected and stored. To protect this data and demonstrate secure practices on par with the U.S. government, many organizations are looking into FIPS certification and compliance.
However, there is often confusion surrounding FIPS compliance versus FIPS certification. This article will explain the key differences and provide clarity on these important standards for data security.
What is FIPS?
FIPS stands for Federal Information Processing Standards These are standards and guidelines for information security set by the National Institute of Standards and Technology (NIST) They were created to establish requirements for computer systems used by U,S, government agencies and their contractors,
Although originally intended for federal agencies, FIPS have become widely adopted by state governments financial institutions, hospitals, and other organizations that handle sensitive data. By meeting FIPS requirements companies can reassure customers that their systems and data encryption meet rigorous standards.
FIPS Compliance vs. FIPS Certification: Key Differences
Many use the terms “FIPS compliant” and “FIPS certified” interchangeably, but they have distinct meanings:
-
FIPS Compliant – The product or system meets some or most FIPS requirements. However, compliance indicates that the entire system has not officially passed testing for certification.
-
FIPS Certified – The entire product or system has met all applicable FIPS requirements and passed rigorous independent testing by a NIST-approved laboratory. This validation process typically takes 6-9 months.
In other words, FIPS compliance means only certain components or modules have been validated, whereas FIPS certification means the entire system has been independently verified. Certification provides a higher level of assurance.
Why Does Certification Matter?
For organizations that work with government agencies and handle sensitive data, FIPS certification is mandatory, not optional. Without certification, companies may need to go through extra steps to assure clients their systems are secure.
The certification process also uncovers vulnerabilities that can lead to costly system downtime and interruptions. Non-certified products may have limitations in deployment, as parts don’t meet standards.
Although certification takes time and effort, it brings peace of mind that systems adhere to globally recognized security guidelines. The reputation benefit is significant.
Who Needs FIPS Certification?
If an organization collects, stores, transfers, or shares sensitive government data, FIPS certification is required by law. This includes IT systems and video surveillance technologies that capture personally identifiable information.
FIPS certification has also been voluntarily adopted by healthcare, financial services, manufacturing, and other fields that manage sensitive data. It reassures customers that systems meet top security standards.
What is FIPS 140-2?
FIPS 140-2 is one of the most widely referenced security standards. It specifies requirements for cryptographic modules that are used for encryption.
There are four levels of FIPS 140-2 certification, with Level 4 providing the highest security for encryption:
- Level 1 – Basic encryption and external testing
- Level 2 – Adds tamper evidence and authentication
- Level 3 – Allows use on general PCs with minimum requirements
- Level 4 – Detects and responds to physical tampering attempts
What Does the Certification Process Involve?
Here are the key steps to achieve FIPS certification:
-
Assess the system for vulnerabilities and areas needing improvement. These “cryptographic boundaries” will be tested.
-
Make necessary upgrades to become fully FIPS compliant. The system must meet all applicable standards.
-
Submit the product to an accredited laboratory for independent testing and validation. This process takes 6-9 months.
-
If any components fail testing, make corrections and restart testing. Code changes after certification also require re-validation.
-
Once the system passes testing, it is awarded FIPS certification.
Maintaining certification requires staying up-to-date on evolving standards and retesting after major system changes. It is an ongoing process.
Can Vendors Claim Compliance Without Certification?
Some vendors market products as “FIPS compliant” without completing independent laboratory testing for certification. This is allowed currently, but compliance claims without the FIPS validation program label can be misleading.
If FIPS certification matters for your system security, be sure to verify that vendors have completed full certification testing for their products. Don’t rely solely on vendor claims of compliance.
Frequently Asked Questions
Do financial institutions require FIPS?
While not mandated by law, many banks and financial services providers require FIPS to protect customer data and align with industry best practices. Major payment networks like Visa also recommend FIPS standards.
What is the difference between FIPS 197 and FIPS 140-2?
FIPS 197 approves specific encryption algorithms like AES. FIPS 140-2 sets requirements for full implementation and validation of cryptographic modules using FIPS-approved algorithms like AES.
Is FIPS compliance mandatory for businesses?
FIPS is legally required for U.S. federal agencies and contractors working with government data. Companies in other industries often adopt FIPS standards voluntarily.
Can IT systems be partially FIPS certified?
No – FIPS certification applies to the full IT system or product. Individual components can be FIPS compliant, but the system as a whole must pass testing to be certified.
Conclusion
As security technology and data storage evolve, FIPS certification provides value for both government and commercial organizations handling sensitive information. While compliance indicates alignment with standards, full certification takes this further through extensive independent testing.
Companies certified to FIPS 140-2 and other FIPS standards can assure customers their systems adhere to rigorous benchmarks set by NIST for data protection. With cyber threats on the rise, certification demonstrates commitment to true security effectiveness.
But What’s the Difference between FIPS Validated and FIPS Compliant?
I’ve mentioned the word “validation” or “certification” a couple of times, but you might have also heard the word “compliant” in association with FIPS. What does compliance have to do with all this? Although the two words sound like they should go hand in hand, there is in fact an important distinction between them when it comes to FIPS.
It doesn’t take too much to be FIPS compliant. In fact, all it really takes is the word of the company or vendor that says their product is compliant with FIPS. The vendor can go one step further and receive FIPS validation certificates and may incorporate a 3rd party’s validated solution, but unless it’s gone through rigorous testing and approval, the module is not FIPS validated.
Another instance where FIPS compliance is used is when a product is partially FIPS validated. This means that certain components of the module have been tested, but the product itself is not wholly validated. This is an important distinction because if not every aspect of the products crytography has been tested and validated, there is always the possibility of a vulnerability. It is far better to be FIPS validated than FIPS compliant.
How Does a Vendor Become FIPS 140-2 Validated?
In short, FIPS 140-2 Validated means that a product has been reviewed, tested, and approved by an accredited (NIST approved) testing lab. “A product or implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates.” That’s right, if you want a product to be 100% approved and validated, it has to undergo the entire process through the Cryptographic Module Validation Program (CMVP) where it comes out pretty and stamped with official validation. This process varies greatly in cost and time, but here’s a simple rundown of the steps:
- Figure out what needs to be validated. Identify the “cryptographic boundary”. In other words, figure out what needs to be tested and approved. To be validated, any aspect of cryptography in the product must be tested and approved by one of the NIST accredited testing labs. There are over a dozen labs to choose from. The cost of FIPS validation will depend on how complex the product is.
- Make sure you are FIPS compliant–as I said before, being compliant does not mean a product that contains cryptographic modules is validated. Being FIPS compliant means only certain aspects of a product has been tested and approved. That means there could be possible gaps in the security of the product. If the entire product has not been tested and approved as FIPS validated, that means the product is only FIPS compliant.
- All products must submit a Security Policy that outlines what the module is and how it complies with FIPS. There are documentation requirements in 11 different areas such as ports, interfaces, and authorization; and they all must be addressed.
- Last but not least, the product must send it off to an accredited Cryptographic Module Testing (CMT) lab to be reviewed and tested. If there is something wrong in any of those processes, the module is sent back and will need to be changed. This step has 5 substeps in itself, and can take up 16 months to finalize.
