In a prior article, we explained what the Federal Information Processing Standards (FIPS) are and how to determine FIPS compliance. In this article, we’ll explain what FIPS mode is and how enabling FIPS mode on networks and/or devices can make systems FIPS compliant.
What Are the Federal Information Processing Standards?
The Federal Information Processing Standards (FIPS) are a set of federal security standards designed for protecting sensitive data and systems leveraged by U.S. government agencies and the contractors and vendors they work with. They’re specifically meant to inform the operation of cryptographic modules—algorithms that encrypt data stored within the system or device.
Encryption modules for information technology and computer security programs that are running in FIPS mode will perform Federal Information Processing Standards-compliant functions such as key generation, encryption, and decryption.
What Is NIST?
The National Institute of Standards and Technology (NIST) is a U.S. government laboratory that works to promote the economic security of the country by developing security standards that counter digital theft and cybersecurity threats.
Security standards issued by the laboratory are considered excellent default security measures, even for non-federal agencies not required to operate in FIPS mode for compliance.
Overview of FIPS and Its History
Federal Information Processing Standards were first created by NIST in 1974. FIPS compliance provides rigorous standards for IT and computer security. Specifically, it’s concerned with the compliance of an application or product’s encryption modules, designed to protect data in transit or at rest. The standards were designed by NIST to improve data security of sensitive data.
What Is FIPS Mode?
FIPS mode is a configuration option for systems (e.g., software, operating systems, SIEM solutions) and hardware (e.g., routers, data storage). When these specific FIPS security features are being implemented, the device or system is running in FIPS mode and is typically considered to be Federal Information Processing Standards compliant. (For Federal Information Processing Standards 140-2, additional parameters may be required for compliance).
What Happens in FIPS Mode?
When a device or system and its components are running in FIPS mode, they’re only using Federal Information Processing Standards-compliant algorithms and libraries for cryptography. In some cases, they may also run additional data protection features. It also may mean that, while in FIPS mode, certain non-Federal Information Processing Standards compliant functions may be disabled or restricted.
U.S. Federal Standards for Security Controls
Can FIPS Mode Be Disabled?
Yes, FIPS mode can be disabled. When Federal Information Processing Standards mode is disabled, non-Federal Information Processing Standards compliant functions are no longer restricted.
What Technology Can Be Put in FIPS Mode?
Any technology or system that can run Federal Information Processing Standards-compliant encryption algorithms or operations can be put into Federal Information Processing Standards mode.
Hardware That Can Be Put in Federal Information Processing Standards Mode
The types of hardware that can be put into Federal Information Processing Standards mode include hardware that performs cryptographic functions, such as:
- Data storage arrays (e.g., self-encrypting drives)
- Network devices, such as routers, firewalls, and network switches
- Security devices
Software That Can Have Federal Information Processing Standards Mode Enabled
The types of software that can have Federal Information Processing Standards mode enabled include systems or software that run encryption modules, such as:
- Operating systems
- Encryption software
- Virtual private networks (VPNs)
- SIEM software or network intrusion detection systems
What Networks and Industries Need FIPS Mode?
The networks or industries that need FIPS mode are contractually obligated to and are typically those networks within the United States handling classified information for the U.S. government. These can include:
- Federal and government networks
- Law enforcement, national security, and national defense networks
- Healthcare networks
- Military networks
- Critical infrastructure, including the utilities sector, energy, power, and power grid networks
FIPS Mode vs. Being FIPS Validated
FIPS mode is a specific configuration or setting that is enabled, while being Federal Information Processing Standards validated means a system or device has undergone the formal Federal Information Processing Standards validation testing process. For example, a device can be Federal Information Processing Standards validated but not necessarily running in FIPS mode.
FIPS mode is a very specific configuration for devices and systems that must be Federal Information Processing Standards compliant, but it’s important to note that it is not a catchall nor will it be appropriate for every device or system.
Not all data storage devices are able to be Federal Information Processing Standards compliant or run in FIPS mode. If you need a Federal Information Processing Standards-compliant data storage device, look for a storage array that explicitly notes Federal Information Processing Standards compliance in its system documentation (e.g., technical specs and user manuals) or check a vendor’s documentation or reach out to technical support.