FIPS 140-2 Q&A
This blogpost is a special Q&A Session on FIPS 140-2 that we put together with the help of Jake Nelson of Corsec. Founded in 1998 by some of the same people who helped set up one of the original three FIPS test labs, Corsec is a leader in the FIPS certification space and helped Ixia with our FIPS 140-2 validation efforts.
What is FIPS 140-2?
The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions. All products sold into the U.S. federal government are required by law to complete FIPS 140-2 validation if they use cryptography in security systems that process Sensitive But Unclassified (SBU) information.
What are the different Levels of FIPS 140-2?
There are four increasing, qualitative security levels for FIPS 140-2. Each one focuses on eleven functional areas of product security related to secure design and implementation. At each level, greater amounts of evidence and engineering are required of the vendor in order to show compliance with the standard.
The eleven functional areas that must be addressed are:
- Cryptographic Module Specification
- Module Ports and Interfaces
- Roles, Services, and Authentication
- Finite State Model
- Physical Security
- Operational Environment
- Cryptographic Key Management
- Electromagnetic Interference / Electromagnetic Compatibility (EMI/EMC)
- Design Assurance
- Mitigation of Other Attacks
What sort of end users and customers are interested in FIPS 140-2?
All end users looking for a high degree of security, assurance, and dependability within their security systems will seek products possessing a FIPS 140-2 validation. This is not only a product benefit, but mandated by industries and governments around the globe. Section 5131 of the Information Technology Management Reform Act of 1996 mandated the use of FIPS-validated products by all U.S. federal agencies.
What other countries and industries leverage FIPS 140-2?
Although FIPS is a U.S. and Canadian sponsored standard, it has been heavily adopted by foreign governments (including the European Union, South America, and Asia) and regulated industries (including the intelligence community, financial services, health care, critical infrastructure, the automotive industry, and the Internet of Things (IoT)) around the globe.
What is the relationship between NIST, FIPS 140-2, and companies like Corsec?
There are three key players in the FIPS 140-2 validation process:
- The National Institute of Standards and Technology’s (NIST) Cryptographic Module Validation Program (CMVP), who sets information security mandates for products containing cryptography, and is ultimately responsible for issuing certificates;
- Third-party laboratories, which are accredited by NVLAP, test products to ensure they adhere to FIPS 140-2 standards; and,
- IT product vendors, who must ensure their products conform to the standard, and submit documentation to a third-party lab for testing.
Corsec is a comprehensive product security company that helps vendors go through the hurdles of achieving their FIPS validation. They advocate on behalf of the vendor to communicate directly with NIST and the labs to get the product through the stages of the FIPS process.
Are there other, similar certifications vendors should be aware of?
Depending on your organization’s market goals and objectives, there are a number of certifications and validations that a vendor should investigate.
Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology (IT) security products. Once completed, it provides assurance to buyers that the process of specification, implementation and evaluation for any certified computer security solution was conducted in a thorough and standard manner. Completing your Common Criteria evaluation allows you to sell your solutions to the U.S. Federal Government, International Governments, and other highly regulated industries around the globe. It is not only required for access to government markets, but also serves as a competitive differentiator. The DoDIN APL (Department of Defense Information Network Approved Products List) was created in 2011 by the Department of Defense to identify solutions that were trusted to address government security concerns.
The DoDIN APL represents the agency’s master list of products available for purchase that are secure, trusted, and approved for deployment within the DoD’s technology infrastructure. Only those products listed will be considered for procurement by DoD contracting departments. It has been referred to by many names including: the UC APL (Unified Capabilities Approved Products List), JITC Testing, STIG testing, and others.
What is the process to complete FIPS 140-2 validation? How long does it take? Do you look at source code?
There are five major stages that need to be addressed in order to complete a FIPS 140-2 validation: Certification Strategy, Product Security Hardening, Documentation, Laboratory and Algorithm Testing, and Government Review. At each stage, there are a number of deliverables that need to be accomplished, all helping to streamline your project and ensure a smooth transition from one stage to the next. For a complete list of all the stages, the deliverables, and key takeaways, visit here.
With a sound strategy, expert guidance, and FIPS experience, you can expect to complete your FIPS validation in around 12 to 14 months. This validation will remain valid for up to five years. Of course, every product is different and every company has varying levels of experience with the process, therefore the process could take much longer if not done correctly.
Source code is just one of the many things that is reviewed during your FIPS validation. That is why it is so important to work with a partner that protects your Intellectual Property (IP) and takes security seriously. Make sure to visit your partner’s site and evaluate the security measures they implement to ensure that your project and IP are safe.
Here is a guide to some questions you should ask of your partners.
How do software updates interplay with FIPS 140-2?
Understand that a FIPS validation process is a point-in-time evaluation exercise. That is, the evaluation process is intended to review a product as it exists at a single point in time. Thus, the validation (and associated certificate) is specific to the software version or hardware model that underwent the testing. Any updates to that version or changes to that model will represent a different entity than what was tested; thus, it is not covered by the validation.
One of the primary goals of the Certification Strategy stage of the process is to determine a validation approach that will minimize these sorts of issues. With proper planning, selection of the correct boundaries and levels, and knowledge of the available validation maintenance options, strategies can be created that will maximize the life of a validation.
How long has Corsec been doing FIPS 140-2? Can you name any customers?
Corsec’s founders helped to start and operate one of the original three FIPS testing laboratories. They watched product vendors stumble through the maze of requirements in the FIPS validation process, which often resulted in: frustration, missed deadlines, redundancy, and ultimately, lost revenue opportunities. In 1998, with a clear vision to provide companies with an approach of “customer advocacy” and a turnkey solution within a system of assured quality, Corsec was born. After nearly two decades of work, Corsec has helped complete nearly 500 certifications for companies big and small around the globe, including the likes of HPE, Dell, Cisco, General Dynamics, Northrop Grumman, Unisys, and many more.
What sort of challenges or roadblocks have you seen with FIPS 140-2?
With any large endeavor, there are certain areas that present risk and could potentially derail your validation. Developing a strategy upfront will help to mitigate those risks down the road. With nearly twenty years of experience, Corsec has identified the common roadblocks at each of the five stages in the process:
- Certification Strategy: Lack of organizational alignment will hinder your ability to get your validation moving quickly and keep it on track throughout the lifecycle of the project. Additionally, you must have market intelligence on your competition and customer requirements prior to developing your strategy; otherwise you could take a path that limits ROI.
- Product Security Hardening: Limited experience and expertise with the FIPS requirements will hinder you from a design engineering perspective. The product must comply with requirements in all eleven sections in order to complete the process. Without this expertise, it will be difficult to design, develop, and test a product that will pass muster.
- Documentation: Both the government and labs, have very specific methods of preferred formatting for the submission documentation. If not done correctly, you could produce thousands of pages that actually makes the lab’s job more difficult, and ill-timed re-work could significantly delay your project, as well as your ability to begin seeing any ROI.
- Laboratory and Algorithm Testing: The lab will request certificates which you must produce from testing your algorithms. These test results are often fraught with challenges and misunderstanding. Having a system to run lab test vector files will expedite the process significantly.
- Government Review: Knowledge on the standard will help avoid re-work/duplicative efforts when the government comes back with questions. Defense of your documentation and testing will help to prevent unneeded work that could be avoided with proper advocacy.
If someone wants to get validated, are there things they should start doing right away?
The earlier you can prepare, the better. If you are currently developing your product, take time to bring someone in that knows the FIPS requirements to ensure the design and implementation of the solution meets all eleven requirements. If you have already developed your solution, perform a gap analysis to determine the delta between where you are and where you need to be in order to meet them. This should be the first step any organization takes, whether it is internally performed or assessed through a partner.
How is “FIPS-validated” different from “FIPS-compliant”?
There is a substantial difference between having your product achieve FIPS 140-2 validation and claiming your product is FIPS 140-2 compliant.
“FIPS-compliant” is a self-designated term, but has no associated requirements or minimum criteria. Further, it has absolutely no government backing. Vendors may use this term in reference to a product that uses FIPS-Approved algorithms or libraries, but has not actually gone through the necessary steps to verify and test that the product is using them in a FIPS-Approved manner. It does not hold any weight nor can you claim you have completed FIPS 140-2 Validation.
“FIPS-validated” asserts that your specific solution has gone through the rigor of the entire FIPS 140-2 process, resulting in the award of a certificate of your own issued by NIST (the U.S. government component of the CMVP). Further, this means that your product has been tested by an independent third-party laboratory and will meet the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and other industries, including: healthcare, financial services, and critical infrastructure. Corsec has developed a whitepaper to explore this topic further.