Understanding FIPS 140-2 Requirements for Achieving FedRAMP Compliance

ISV’s and SaaS providers looking to obtain FedRAMP accreditation must comply with FIPS 140-2 encryption standards. The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. It is critical to protect a cryptographic module within a security system to maintain the confidentiality and integrity of the information. ISV’s and Cloud Service Providers (CSP) looking to sell cloud solutions to the US Government and Department of Defense customers must understand FIPS requirements.

Understanding FIPS

FIPS (Federal Information Processing Standards) is a set of standards that describe document processing, encryption algorithms, and other information technology processes for use within non-military federal government agencies and by government contractors and vendors who support government agencies. The FIPS 140-2 standard specifies the security requirements that will be satisfied by a cryptographic module. The standard provides four increasing qualitative levels of security intended to cover a wide range of potential applications and environments. A particular level requires that the previous levels also be met, but not every product must reach FIPS Level 4. For example, Level 1 provides the most basic security with practically no physical requirements, such as a personal computer encryption board, which is a validated Security 1 cryptographic module. In order for a PC to be Security Level 2 validated, it would need to comply with all the standards outlined in Level 1, and additionally meet role-based authentication requirements to account for tamper-evidence required in FIPS Level 2. Certain levels are only appropriate for certain products or solutions.

In short, FIPS 140-2 Validated means that a product has been reviewed, tested, and approved by an accredited (NIST approved) testing lab. For a product to be 100% approved and validated, it has to undergo the entire process through the Cryptographic Module Validation Program (CMVP) and needs to be stamped with an official validation. This process varies greatly in cost and time, but here’s a quick rundown of the steps-

  1. Identify what needs to be validated: Identify the “cryptographic boundary”, in other words, figure out what needs to be tested and approved. The cost of a FIPS validation will depend on how complex the product is.
  2. Achieving FIPS Compliance: It is important to note that being compliant does not mean a product that contains cryptographic modules is validated. Being FIPS compliant means only certain aspects of a product have been tested and approved, implying that there could be possible gaps in the security of the product.
  3. Submit a Security Policy: All products must be submitted with a Security Policy that outlines what the module is and how it complies with FIPS. There are numerous documentation requirements in 11 different areas such as ports, interfaces, and authorization; and they all must be addressed.
  4. Accredited Cryptographic Module Testing (CMT) lab: The product must be sent to a CMT lab to be reviewed and tested.

ISV’s developing their own software products should evaluate their FIPS compliance posture if their solution is going to be sold to a government customer or hosted in a commercial cloud environment like AWS.

FIPS Validated Vs FIPS Compliant- Understanding the Difference

The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. For example, Level 3 ensures that the code is within a tamper-proof container so that the keys used in the cryptography are destroyed if the device is physically compromised.

To be FIPS 140-2 certified or validated, the software (or hardware) must be independently validated by one of 13 NIST specified laboratories. It is important to note that when the software code changes, FIPS requires that code to be re-validated to make sure that errors have not been introduced. “FIPS 140 validated” means that the cryptographic module, or a product that embeds the module has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. On the other hand, “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.

How is FIPS 140-3 different from FIPS 140-2?

The Federal Information Processing Standard (FIPS) is a U.S. and Canadian standard for validating the security of cryptographic modules. FIPS 140-3 is the newest version and is more closely aligned with international ISO/IEC standards than its predecessor, FIPS 140-2. FIPS 140-3 is an adoption of ISO 19790 and includes references to two existing international standards- ISO 19790 on information technology, security techniques, and requirements; and ISO 24759 on testing requirements for cryptographic modules.

These updates, replacements and additions are necessary and will guide ISO/IEC standards for cryptographic algorithms, module testing, conformance, and validation activities that were originally cited in FIPS 140-2. While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020.

About Us

Are you looking to sell cloud solutions to US Federal clients? Schedule a free consultation with our experienced FedRAMP, FISMA, and CMMC compliance experts. Our stackArmor ThreatAlert®- ATO on AWS solution, helps customers avoid costly FedRAMP compliance mistakes in the area of FIPS 199 categorization, FIPS 140-2 compliance, and MFA requirements and boundary definition amongst others. Our end to end solution accelerates compliance by delivering a FedRAMP/NIST compliant security system with over 17 security requirements delivered ‘’in-boundary’’ reducing risk and complexity. We are able to reduce the time and cost of a FedRAMP, FISMA, or DFARS Authorization by 40% through automation, standardization, and pre-filled documentation. Have questions? Click here to contact us and we’d be happy to assist.