Implementing a FIPS 140-2 validation into your product is a great way to strengthen your solution, enhance your brand, and secure your bottom line. When pursuing FIPS, you will be faced with difficult and often confusing decisions; leaving you with many questions. One such question we are always asked is the difference between being FIPS Validated and FIPS Compliant (sometimes referred to as FIPS Inside). This is a critical question as there is a substantial difference between having your product achieve FIPS 140-2 validation and claiming your product is FIPS 140-2 compliant. To help, Corsec has developed a quick reference guide below as well as a FIPS Inside Whitepaper to explore this topic further:
What is FIPS Inside / FIPS Compliant:
“FIPS Compliant” or “FIPS-Inside” is a self-designated term, often used in reference to a device or appliance that employs a FIPS-validated subcomponent to provide its cryptographic services. Unfortunately, these solutions have absolutely no government backing. Vendors use this term in reference to products that uses FIPS-Approved algorithms or libraries, but have not actually gone through the necessary steps to verify and test that the product is using them in a FIPS-Approved manner.
It does not hold any weight nor can it claim a completed FIPS 140-2 Validation. As an example, a company may incorporate another company’s cryptographic module which went through the FIPS validation process for itself. Although the cryptographic module that was dropped into the product has gone through validation, the overall product still has not yet been validated; leaving concern and speculation over the product’s security.
What is FIPS Validated:
“FIPS-validated” asserts that your specific solution has gone through the rigor of the entire FIPS 140-2 process, resulting in the award of a certificate of your own issued by NIST. Further, this means that your product has been tested by an independent third-party laboratory and will meet the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and other industries, including: healthcare, financial services, and critical infrastructure.
Is FIPS Compliant Right For Me:
Maybe. The FIPS Compliant approach is very convenient, and can, in fact, be a viable option in certain situations. The optimal scenario is that the vendor of the device also controls the targeted subcomponent. However, when relying on a third-party’s software solution, this path also comes with its share of very real pitfalls:
- It provides very limited assurance
- Your product becomes dependent on a third-party’s issues and schedule
- It limits your ability to compete
- It brings your company’s commitment to security into question
These are very real concerns and each vendor should consider the impact on their product.
There’s nothing inherently wrong with embedding a FIPS-validated solution. But the impact on your product, company, and customers should be considered. The approach makes it very difficult to vouch for your own product’s security, and if you can’t truly vouch for your own product’s security, that becomes a reflection of your true commitment to providing a secured solution.
When choosing a strategy to meet strict security conformance requirements, as in any business decision, one must gather as much information as possible in order to make an educated decision. Factors such as convenience, resource availability, time-to-market, sustainability, long- and short-terms costs, benefits, and risks must all be weighed to determine the most viable course of action. While integrating a third-party crypto service solution in order to meet FIPS requirements seems like the best choice (and sometimes, it actually is), there are a growing number of business-related drawbacks to this path that must be identified and weighed. Choosing a path with taking these drawbacks under careful consideration could impact your validation status and ability to compete for years to come.