A Primer on FIPS 140-2 Certifications

Last week I spent my time attending the International Cryptographic Module Conference outside of Washington D.C. A recurring topic of interest to those in attendance was FIPS 140-2. There were a lot of questions around the topic, so I thought it beneficial to explain the basics of FIPS 140-2 certifications.

So, what is FIPS 140-2?

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is, “Security Requirements for Cryptographic Modules.” There are 4 levels of certification. If you want specifics on what they are, you can look at the actual standard here or the Wikipedia article here. To simplify those even further, see below:

  • Level 1: In Layman’s terms, this is a certification that you are using crypto algorithms that the U.S. government approves of and they actually work the way they’re supposed to work. This makes sure that when your product makes an AES key, for example, it works the same as an AES key that was created by OpenSSL, Thales, SafeNet, or anyone else.
  • Level 2: Same as level 1, but add the requirement to be notified if someone tampered with your module. If you have a hardware module, then you also need to have some measures to keep someone from easily seeing inside (locked covers, foam to block visibility, etc)
  • Level 3 (Hardware only): Same as the previous levels, but now if someone manages to get into the box then any non-encrypted sensitive data must be automatically erased. This is called ‘zeroizing’ or the ‘data has been zeroized’. There is also a requirement that input and output must be on separate physical interfaces, which is why only hardware can get certified at this level.
  • Level 4 (Hardware only): Same as previous levels, but add in environmental detection to the tamper detection. Box is too hot? Too cold? Too much light? You looked at it really menacingly? Anything besides what it normally expects in a datacenter? It destroys all the sensitive information.

Who wants FIPS certification? Who requires it? What level?

Who requires FIPS certification? Let’s start with the easy part first The obvious answer is the U.S. government. When your product starts the FIPS validation testing process, it goes on a list that any government agency can go check and see that you are in the process. For the government, this is as good as being on the list and they are free to buy your stuff. There are some controls around this, but more on that later. Beyond the U.S. government, any company who has a requirement for HIPAA, FISMA, or FedRAMP require it.

Who wants FIPS? This is a harder question to answer, but we can make some general assumptions. Most U.S. companies who are interested in high security are interested in a product that is FIPS certified. International companies and governments will generally see it as a nice to have, but not really unique. European governments and companies may be interested in Common Criteria over FIPS. Asian countries, specifically Japan, will likely be more interested in ISO certifications. FIPS 140-3, which has been in draft for a long while now, may include some ISO standards, but that is not guaranteed.

What level are they looking for? SafeLogic, who assists companies with FIPS testing, had a very good presentation at ICMC 2017 that hasn’t been published yet on this topic. To summarize, a company considering FIPS certification will find the most value by certifying at Level 2. Most companies looking to buy a product with FIPS certification want Level 2 or they just want to be able to say that they are purchasing a product that is in fact FIPS certified (at any level). The U.S. government for classified projects will be the highest desire for FIPS levels beyond 2. Very few customers care about FIPS level 4, mostly due to the environmental constraints.

How does a product get FIPS certified?

This is a long process with a fair number of requirements, but I will give the short, high level answer. A company, like Fornetix, documents all the security information about their product and how it meets the FIPS requirement based on 11 different categories. That information, along with the product itself, gets shipped off to one of around twenty labs who test out everything and work with us to sure-up all the documentation. The testing results and documentation get sent to NIST who evaluate it and if all goes well, our product gets certified for that specific version on that specific hardware. There is usually quite a bit of back and forth between the vendor, the lab, and NIST. The whole process usually takes around 12 to 18 months. Significant updates to the product’s security boundary must get recertified as well as any major platform changes. I won’t go into details here, as it begins to get very complicated and subjective. As well, the requirements that a product needs to meet to attain a FIPS certification were essentially signed into law years ago. The group that does the review at NIST doesn’t have the ability to change the requirements, but they do update the implementation guidance regularly to help companies get through the process as technology evolves.

Hopefully this was helpful and gives you a better understanding of FIPS and just what it means when we, at Fornetix, say that our Key Orchestration Appliance is undergoing FIPS 140-2 Certification at Level 2.