FIPS 140-2: Covering the Basics

What is FIPS 140-2?

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions.

All products sold into the U.S. federal government are required by law to complete FIPS 140-2 validation if they use cryptography in security systems that process Sensitive But Unclassified (SBU) information.

What are the different Levels of FIPS 140-2?

There are four increasing, qualitative security levels for FIPS 140-2. Each one focuses on eleven functional areas of product security related to secure design and implementation. At each level, greater amounts of evidence and engineering are required of the vendor in order to show compliance with the standard. The eleven functional areas that must be addressed are:

  1. Cryptographic Module Specification
  2. Module Ports and Interfaces
  3. Roles, Services, and Authentication
  4. Finite State Model
  5. Physical Security
  6. Operational Environment
  7. Cryptographic Key Management
  8. Electromagnetic Interference / Electromagnetic Compatibility (EMI/EMC)
  9. Self-Tests
  10. Design Assurance
  11. Mitigation of Other Attacks

In order to complete the validation process, all eleven sections must be addressed. The level at which you decide to validate your product will depend upon your objectives, customer requirements, and competitive landscape.

What sort of end users and customers are interested in FIPS 140-2?

All end users looking for a high degree of security, assurance, and dependability within their security systems will seek products possessing a FIPS 140-2 validation. This is not only a product benefit, but mandated by industries and governments around the globe. Section 5131 of the Information Technology Management Reform Act of 1996 mandated the use of FIPS-validated products by all U.S. federal agencies.

Although FIPS is a U.S. and Canadian sponsored standard, it has been heavily adopted by foreign governments (including the European Union, South America, and Asia) and regulated industries (including the intelligence community, financial services, health care, critical infrastructure, the automotive industry, and the Internet of Things (IoT)) around the globe.

What is the relationship between NIST, FIPS 140-2, and Corsec?

There are three key players in the FIPS 140-2 validation process:

  • The National Institute of Standards and Technology’s (NIST) Cryptographic Module Validation Program (CMVP), which sets information security mandates for products containing cryptography, and is ultimately responsible for issuing certificates;
  • Third-party laboratories, which are accredited by NVLAP, test products to ensure they adhere to FIPS 140-2 standards; and,
  • IT product vendors, who must ensure their products conform to the standard, and submit documentation to a third-party lab for testing.

Corsec is a comprehensive product security company that helps vendors go through the hurdles of achieving their FIPS validation. We advocate on behalf of our partners to communicate directly with NIST and the labs to get their product through each stage of the FIPS process.

What other certifications should vendors be aware of?

Depending on your organization’s market goals and objectives, there are a number of certifications and validations that a vendor should investigate:

Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology (IT) security products. Once completed, it provides assurance to buyers that the process of specification, implementation and evaluation for any certified computer security solution was conducted in a thorough and standard manner. Completing your Common Criteria evaluation allows you to sell your solutions to the U.S. Federal Government, International Governments, and other highly regulated industries around the globe. It is not only required for access to government markets, but also serves as a competitive differentiator.

The DoDIN APL (Department of Defense Information Network Approved Products List) was created in 2011 by the Department of Defense to identify solutions that were trusted to address government security concerns. The DoDIN APL represents the agency’s master list of products available for purchase that are secure, trusted, and approved for deployment within the DoD’s technology infrastructure. Only those products listed will be considered for procurement by DoD contracting departments. It has been referred to by many names including: the UC APL (Unified Capabilities Approved Products List), JITC Testing, STIG testing, and others.

What is the process to complete FIPS 140-2 validation? How long does it take? Do you look at source code?

There are five major stages that need to be addressed in order to complete a FIPS 140-2 validation: Certification StrategyProduct Security HardeningDocumentationLaboratory and Algorithm Testing, and Government Review. At each stage, there are a number of deliverables that need to be accomplished, all helping to streamline your project and ensure a smooth transition from one stage to the next. View a complete list of all the stages, deliverables, and key takeaways for your FIPS validation.

With a sound strategy, expert guidance, and FIPS experience, you can expect to complete your FIPS validation in around 12 to 14 months. This validation will remain valid for up to five years. Of course, every product is different and every company has varying levels of experience with the process, therefore the process could take much longer if not done correctly.

Source code is just one of the many things that is reviewed during your FIPS validation. That is why it is so important to work with a partner that protects your Intellectual Property (IP) and takes security seriously. Make sure to visit your partner’s site and evaluate the security measures they implement to ensure that your project and IP are safe. This guide covers key questions you should ask of your partners to ensure your assets are protected.

How do software updates interplay with FIPS 140-2?

The FIPS evaluation process is intended to review a product as it exists at a single point in time. Thus, the validation (and associated certificate) is specific to the software version or hardware model that underwent the testing. Any updates to that version or changes to that model will represent a different entity than what was tested; thus, it is not covered by the validation.

One of the primary goals of the Certification Strategy stage of the process is to determine a validation approach that will minimize these sorts of issues. With proper planning, selection of the correct boundaries and levels, and knowledge of the available validation maintenance options, strategies can be created that will maximize the life of a validation.

What sort of challenges or roadblocks are typically presented in a FIPS 140-2 validation?

With any large endeavor, there are certain areas that present risk and could potentially derail your validation. Developing a strategy upfront will help to mitigate those risks down the road. With nearly twenty years of experience, Corsec has identified the common roadblocks at each of the five stages in the process:

Certification Strategy: Lack of organizational alignment will hinder your ability to get your validation moving quickly and keep it on track throughout the lifecycle of the project. Additionally, you must have market intelligence on your competition and customer requirements prior to developing your strategy; otherwise you could take a path that limits ROI.

Product Security Hardening: Limited experience and expertise with the FIPS requirements will hinder you from a design engineering perspective. The product must comply with requirements in all eleven sections in order to complete the process. Without this expertise, it will be difficult to design, develop, and test a product that will pass muster.

Documentation: Both the government and labs, have very specific methods of preferred formatting for the submission documentation. If not done correctly, you could produce thousands of pages that actually makes the lab’s job more difficult, and ill-timed re-work could significantly delay your project, as well as your ability to begin seeing any ROI.

Laboratory and Algorithm Testing: The lab will request certificates which you must produce from testing your algorithms. These test results are often fraught with challenges and misunderstanding. Having a system to run lab test vector files will expedite the process significantly.

Government Review: Knowledge on the standard will help avoid re-work/duplicative efforts when the government comes back with questions. Defense of your documentation and testing will help to prevent unneeded work that could be avoided with proper advocacy.

If someone wants to get validated, are there things they should start doing right away?

The earlier you can prepare, the better. If you are currently developing your product, take time to bring someone in that knows the FIPS requirements to ensure the design and implementation of the solution meets all eleven requirements. If you have already developed your solution, perform a gap analysis to determine the delta between where you are and where you need to be in order to meet them. This should be the first step any organization takes, whether it is internally performed or assessed through a partner.

How is “FIPS-validated” different from “FIPS-compliant” or “FIPS-Inside”?

There is a substantial difference between having your product achieve FIPS 140-2 validation and claiming your product is FIPS 140-2 compliant.

“FIPS-compliant” or “FIPS-Inside” is a self-designated term, but has no associated requirements or minimum criteria. Further, it has absolutely no government backing. Vendors may use this term in reference to a product that uses FIPS-Approved algorithms or libraries, but has not actually gone through the necessary steps to verify and test that the product is using them in a FIPS-Approved manner. It does not hold any weight nor can you claim you have completed FIPS 140-2 Validation.

“FIPS-validated” asserts that your specific solution has gone through the rigor of the entire FIPS 140-2 process, resulting in the award of a certificate of your own issued by NIST. Further, this means that your product has been tested by an independent third-party laboratory and will meet the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and other industries, including: healthcare, financial services, and critical infrastructure. Corsec has developed a white-paper to explore this topic further.

Additional Information:

Subscribe to Corsec emails and get updates on security certifications and validations, product security guidance,  InfoSec news, and additional information on how to complete FED and Regulated Industry requirements for security standards and compliance.

Follow us on Social Media for real time updates and share insights on the industry: Twitter, LinkedIn, and Facebook

Check out our Resources & FAQ Page for even more information and assets to help you with product security and certifications.