What Does It Take to Be FIPS Compliant?

In this article, we look at what the Federal Information Processing Standard (FIPS) is, how to become FIPS compliant, and what it means for your organization.

FIPS

The Federal Information Processing Standard (FIPS) is a set of federal security standards applicable to encryption measures used to protect sensitive data. In particular, FIPS is used to document and validate cryptography modules and processes of software, hardware, and systems that interact with U.S. federal agencies.

The Federal Information Processing Standard compliance certification was originally created by the National Institute of Standards and Technology (NIST) specifically for U.S. government agencies. Its purpose was to ensure proper data handling in government applications and facilities but has since expanded beyond a government requirement to become a more universal standard to demonstrate digital trustworthiness.

Here’s an explanation of what it is, how to become FIPS compliant, and what it means for your organization.

What Is FIPS Compliance?

FIPS compliance means an application or product is leveraging Federal Information Processing Standard -approved encryption modules to protect the data that is at rest on or in transit through it. It’s a very specific type of compliance in that it applies only to certain encryption modules and how they’re used.

What Does FIPS Stand For?

FIPS stands for Federal Information Processing Standard. It was created for the U.S. Federal Government but is recognized worldwide as an excellent baseline standard for encrypted products and systems. 

Who Is the NIST?

The NIST stands for the National Institute of Standards and Technology. An agency of the U.S. Department of Commerce, it’s primarily concerned with the economic security of the country and helps promote this mission via technology standards that protect against digital theft and cybersecurity attacks. 

This laboratory develops an array of standards for computer security, information technology (IT), cybersecurity, risk management, cryptography, and other data management best practices—including FIPS standards.

Their standards are often required within and between government agencies, but they’ve become globally accepted as excellent default security measures.

What Is the Purpose of FIPS?

The purpose of FIPS compliance is to demonstrate digital trustworthiness, by adhering to nationally recognized standards that governmental and non-governmental organizations understand and respect. It specifically applies to providers of cryptographic modules and software, which are then leveraged in software and hardware use by US government agencies, contractors, and vendors who work with those agencies.

For organizations that don’t have their own security policies, leveraging Federal Information Processing Standard -compliant encryption modules can be a great default security standard to build on.

What Are the FIPS Compliance Requirements?

FIPS compliance evaluates a number of cryptographic components. 

In general, there are a number of different encryption libraries or modules that can be used in hardware (e.g., storage devices) or software (e.g,. a Java-based application). Not all will need to be Federal Information Processing Standard compliant for the device or app to be compliant. 

For example, a data storage device can leverage an encryption component that is FIPS certified to be compliant. An application can use multiple encryption modules, but for calls that require Federal Information Processing Standard compliance, those particular algorithms must be Federal Information Processing Standard certified (and how the algorithms are used must also be compliant). This can get complicated, as certain runtime properties in an app environment have to be set up to ensure the right calls are being made to a Federal Information Processing Standard -approved module at the right time—and documented in doing so.

For devices, Federal Information Processing Standard compliance requirements can include:

  • Encryption algorithms
  • Key management
  • Physical security
  • Tamper resistance
  • Other features

Why FIPS 140-2 Is Important

FIPS 140-2 is important because it’s an established, well-documented standard. Having FIPS 140-2 certification may be something many customers or partners request as a baseline security measure, so having certification can help you meet certain requirements for engagement.

Understanding FIPS 199 and 200

FIPS 199 is used to assess risk to information and information systems, and FIPS 200 outlines the security controls needed, depending on the risk levels outlined in the Federal Information Processing Standard 199 assessment. In short, Federal Information Processing Standard 199 helps you assess risk to IT systems and data, and FIPS 200 tells you how to address that risk.

Consider the FIPS 199 framework as a starting point for determining risk levels and applying the appropriate controls to manage that risk. FIPS 199 uses three levels of security impact to classify the level of risk to an organization:

  • Low: Limited to no adverse impact
  • Medium: Serious impact
  • High: Severe or catastrophic impact

So, if information was lost, leaked, or otherwise modified, how negatively would it impact the organization’s overall mission, its assets, or individuals? With this framework, an organization can gauge risk and apply the appropriate security measures.

With that, FIPS 200 guidelines help organizations choose the correct security controls, implement them, and continuously monitor them for compliance.

FIPS 201 and Who It Applies To

FIPS 201 is called the Personal Identity Verification (PIV) of Federal Employees and Contractors standard. FIPS 201 is a security standard for government employees and contractors that is meant to secure government facilities and information systems within them. It bolsters security by ensuring only verified individuals can access those facilities and systems (whether physically or digitally, with logins) and reducing fraud or unauthorized access. 

FIPS 201 is concerned with physical and logistical security for individuals working for the government, including keycards, credentials, biometrics, secure authentication, and more.

Where Can You Find a FIPS Compliance List?

The best place to find the most recent, up-to-date FIPS compliance information is on the NIST website. On the site, search for “FIPS Compliance” to see a full list of compliant products and FIPS-validated encryption modules.

What’s the Difference Between FIPS Approved and Compliant?

The difference between FIPS approved (or, “certified”) and FIPS compliant is official approval from an accredited lab. FIPS approved means a product has been formally tested and validated, while FIPS compliant means it adheres to the standards but has not undergone formal testing and validation.

What Does FIPS Certified Mean?

FIPS certified means a system or product has been officially FIPS evaluated and approved. Being FIPS compliant is not the same as FIPS certified, which is the official indicator your organization has passed FIPS standards for compliance. Put simply, it’s not always enough to be compliant.

Generally, FIPS certification is a rigorous testing and validation process, taking into account a product’s:

  • Encryption key management
  • Algorithms
  • Related security features and aspects

However, there are different certifications for different products, such as the personal identity verification (PIV) cards mentioned above in the FIPS 201 standard.

How to Get Federal Information Processing Standard Certified

FIPS certification is a highly complex, time-consuming process and must be conducted by an accredited laboratory or FIPS-recognized program. The technical part of implementing the controls is only part of the process—documenting how you went about it is the other half, and it can take anywhere from four to six months to complete.

Do Products, Systems, and Services Get FIPS Certified?

Yes. FIPS compliance primarily applies to cryptographic modules used in software and hardware. Thus, both hardware and software can require FIPS-compliant components, such as data storage hardware. Data storage devices can be tested in a lab for specific FIPS requirements for compliance, such as cryptographic models that are required under FIPS 140-2. During the FIPS certification process, the encryption libraries that products, systems, and services have in place are examined and tested.

Note: FIPS-certified partners and products are beneficial, too. Acquiring FIPS-certified components for your infrastructure, such as networking devices, microchips, and processors, can shorten the time to compliance by building compliance into your system.

Do Networks and People Need Federal Information Processing Standard Certifications?

No. As mentioned above, networks and people can use FIPS-certified products or components, but they cannot be Federal Information Processing Standard -certified themselves. It’s more about leveraging products or processes that adhere to Federal Information Processing Standard guidelines and standards.

Limitations and Constraints of FIPS

Drawbacks and Limitations of Federal Information Processing Standard

The main drawback of FIPS is how prescriptive, complex, and time-consuming it can be to earn and maintain certification. The key limitation of FIPS is that it’s narrowly focused on only the encryption aspects of cybersecurity. 

Products or systems seeking Federal Information Processing Standard compliance should consider how applications and products are architected, and whether Federal Information Processing Standard alone is sufficient or how it will interoperate with other cybersecurity measures. 

For example, many applications or systems require multiple encryption modules to encrypt all of the traffic or data at rest/in transit. Not all of that data will be sensitive, government-related information, and trying to process every call through a Federal Information Processing Standard-only module could affect application performance. This adds complexity to both development and the constant, ongoing documentation required to distinguish between Federal Information Processing Standard -required calls and non-Federal Information Processing Standard -required calls.

Networks Shouldn’t Rely Solely on it

FIPS doesn’t cover other critical security aspects networks need to stay hardened against cyberattacks. Relying on Federal Information Processing Standard alone and ignoring other important protocols and best practices could result in vulnerabilities not related to encryption, such as endpoint security, network security, software development, password management, and more.

Conclusion: Get Always-on, FIPS-validated Encryption with Pure Storage

At Pure Storage, we understand the importance of securing your data amidst the ever-evolving threat of cybercrime across the globe. Purity, the software-defined heart of FlashArray, leverages an “encrypt everything” approach delivering AES-256 data-at-rest encryption backed by the FIPS 140-2 certified Cryptographic Algorithm Validation Program (CAVP). When combined with FlashArray’s robust security systems, around-the-clock data monitoring, and National Information Assurance Partnership (NIAP) Common Criteria Certification, you can rest assured that your data is safe and secure when stored on Pure Storage all-flash arrays.