Federal agencies purchasing cryptographic-based security systems must confirm an associated FIPS 140-2 certificate exists. This procurement “check-box” item is a deal-breaker. Vendor claims of “designed for FIPS” or “FIPS ready” are not sufficient to pass this hurdle. There is an advantage in selecting a product with a FIPS 140-2 certificate over a solution that has not undergone the rigorous approval process.
No FIPS certificate = No sale
The Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Testing against the FIPS 140-2 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment (CSE) of Canada.
The current version of the standard, FIPS 140-2, has security requirements covering 11 areas related to the design and implementation of a cryptographic module. Each module has its own security policy — a precise specification of the security rules under which it operates — and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. For each area, a cryptographic module receives a security level rating 1 to 4 (from lowest to highest) depending on the requirements met. Validation against the FIPS 140-2 standard is required for all U.S. federal government agencies that use cryptography-based security systems — hardware, firmware, software, or a combination — to protect sensitive but unclassified information stored digitally. NIST publishes a searchable list of vendors and their cryptographic modules validated for FIPS 140-2.
Cisco is a leader in securing Federal Information Processing Standard (FIPS) 140 validations. We are dedicated to information assurance and complying with standards for both product depth and breadth. FIPS 140 is a U.S. government standard that specifies security requirements for cryptographic modules. A cryptographic module is defined as "the set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary." The cryptographic module is what is being validated.
Cisco Global Certification and Common Security Modules have been implemented as an innovative approach to expedite FIPS certifications. They developed a crypto module that is already FIPS-validated and can be embedded in Cisco products. Because the crypto module is already FIPS-validated, the Cisco product can claim compliance to FIPS 140. The compliance process verifies that the Cisco product has implemented cryptography according to standards and all applications that use cryptography do so correctly. These solutions include, but are not limited to:
Microsoft maintains an active commitment to meeting the FIPS 140-2 requirements, having validated cryptographic modules since the standard’s inception in 2001. Microsoft certifies the cryptographic modules used in Microsoft products with each new release of the Windows operating system. For technical information on Microsoft Windows cryptographic modules, the security policy for each module and the catalog of CMVP certificate details. While the current CMVP FIPS 140-2 implementation guidance precludes a FIPS 140-2 validation for a cloud service, cloud service providers can obtain and operate FIPS 140-2 validated cryptographic modules for the computing elements that comprise their cloud services. Azure is built with a combination of hardware, commercially available operating systems (Linux and Windows), and Azure-specific version of Windows. Through the Microsoft Security Development Lifecycle (SDL), all Azure services use FIPS 140-2 approved algorithms for data security because the operating system uses FIPS 140-2 approved algorithms while operating at a hyper scale cloud. Moreover, Azure customers can store their own cryptographic keys and other secrets in FIPS 140-2 validated hardware security modules (HSM). While the current CMVP FIPS 140-2 implementation guidance precludes a FIPS 140-2 validation for a cloud service itself; cloud service providers can choose to obtain and operate FIPS 140 validated cryptographic modules for the computing elements that comprise their cloud service. These solutions include, but are not limited to:
VMware has validated various cryptographic modules against the FIPS 140-2 standard. The FIPS 140-2 standard specifies and validates the cryptographic and operational requirements for the modules within security systems that protect sensitive information. These modules employ NIST-Approved security functions such as cryptographic algorithms, key sizes, key management and authentication techniques.
These solutions include, but are not limited to:
Historically, software operating on a FIPS 140-2 certified system did not automatically inherit the sophisticated cryptography certifications of the base operating system. With this certification, Red Hat becomes the first in the industry to provide assurance that its integrated solutions that incorporate Red Hat Enterprise Linux will retain the FIPS 140-2 certification. These solutions include, but are not limited to:
The certified modules retain FIPS 140-2 certification on these hardware configurations:
Federal Information Processing Standards (FIPS) 140-2 is a mandatory standard for the protection of sensitive or valuable data within Federal systems. FIPS 140-3 is an incremental advancement of FIPS 140-2, which now standardizes on the ISO 19790:2012 and ISO 24759:2017 specifications. Historically, ISO 19790 was based on FIPS 140-2, but has continued to advance since that time. FIPS 140-3 will now point back to ISO 19790 for security requirements. Keeping FIPS 140-3 as a separate standard will still allow NIST to mandate additional requirements on top of what the ISO standard contains when needed.
Among the changes for FIPS 140-3 are conditional algorithm self-tests, where the algorithm self-tests are only performed if used. The pre-operational self-test is now faster, as all the algorithms are not tested until needed. This helps with startup times as the public key self-testing can be time consuming. The “self-tests” can be run at appropriate times for your application startup. Also, there is additional testing of the DRBG entropy sources. WolfSSL is working hard with our lab to make WolfCrypt be the first cryptography library to have FIPS 140-3 validation. WolfCrypt has been listed on the CMVP IUT List for FIPS 140-3! They are currently working with our testing lab to get validated as quickly as possible with the new FIPS standard from the NIST. WolfSSL is the first software library on the FIPS 140-3 IUT list for embedded development.