FIPS & FedRAMP: What You Need to Know

Glowing blue digital padlock with circuit patterns sits atop a hexagonal tech surface, symbolizing cybersecurity and data

FIPS & FedRAMP Primer

We often get asked what the most critical areas are in achieving a FedRAMP authorization in terms of authorization showstoppers. There are plenty of architecture elements to consider but one of the most complex and highly scrutinized requirements is around a successful implementation of Federal Information Processing Standards Publications (FIPS) 140-2 technologies. What does it mean to implement FIPS 140-2 validated technologies into a cloud offering and what is the difference between FIPS validated and FIPS compliant? Ensuring that CSPs are adhering to the FIPS 140-2 validated standard (soon to be FIPS 140-3 for the FedRAMP program) is a critical element in FedRAMP authorization success. Matter of fact, it is a non-negotiable issue for the FedRAMP Joint Authorization Board (JAB) authorizations and most Federal agencies as it is a Federal Mandate requirement as stipulated in the Readiness Assessment Report.

“Lack of FIPS 140-2 validated products is a showstopper for all FedRAMP JAB and most Agency authorizations”

We are going to dive into the basics around FIPS 140-2 & FIPS 140-3, why it is important, the difference between FIPS validated and compliant and how to apply and set the foundation for implementing these complex requirements into existing or future cloud service offering architectures. Future releases of this FIPS and FedRAMP series will also look to apply specific use cases to the major hyperscale cloud providers.

What is FIPS & the difference between FIPS 140-2 and FIPS 140-3?

Federal Information Processing Standards (FIPS) Publications are issued by the National Institute of Standards and Technology (NIST) through the Secretary of Commerce. As part of the FIPS effort, the Cryptographic Module Validation Program (CMVP) validates cryptographic modules to a defined set of criteria and cryptographic standards. In the CMVP, vendors of cryptographic modules use independent, accredited testing laboratories to have their modules tested. National Voluntary Laboratory Accreditation Program (NVLAP) accredited laboratories perform cryptographic module compliance/conformance testing. Products validated as conforming to FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada).

FIPS 140-2 (existing baseline requirement) – leveraging FIPS 140-2 validated products is a hard requirement for the FedRAMP JAB and most Federal Agency authorizations. Very few Federal Agencies approve exceptions, and once approved, they still need to be accepted by the FedRAMP PMO for the system to be listed on the FedRAMP Marketplace as an authorized CSP.

FIPS 140-3 (Upcoming baseline requirement) – FIPS 140-3 replaces FIPS 140-2 and further aligns with ISO/IEC 19790:2012(E) and ISO/IEC 24759:2017(E). Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.

The FIPS 140-2/140-3 standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed.

While FIPS 140-2 will be valid for FedRAMP offerings through 2026, the CMVP will only accept applications for FIPS 140-2 validation through September 2021. After that time, all new applications must be submitted under FIPS 140-3 for validation.

FIPS Compliant vs. Validated?

FIPS 140-2 Approved Vendors?

Given the complexities of achieving a FIPS 140-2 validation and since FedRAMP requires that all cryptography utilized in the system is FIPS validated and has a FIPS validated certificate number, CSPs can do a quick search in the NIST CMVP for FIPS 140-2 validated modules The National Institute of Standards and Technology (NIST) maintains a current list of all FIPS validated modules and has provided a searchable interface located at https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search. An advanced search option is also available which can be used to further refine your search criteria

Whether you are a CSP or a FedRAMP advisor/assessor, this is where organizations verify technology products that are FIPS validated. The NIST CMVP site should be utilized as the authoritative source for verifying the FIPS validation of your potential FIPS products and solutions. There is even a search feature for products that are undergoing a validation review and listed as In Process. Potential architecture use cases will be covered in future posts.

Applicable FIPS 140-2 controls FedRAMP?

Let us start piecing together how to better interpret the FedRAMP-related cryptographic security controls with the FIPS 140-2 requirements within an architecture.

  • Data In Transit
    • Customer (Web application) – all web application sessions must be encrypted via FIPS 140-2 validated crypto modules.
    • CSP administrative (Remote access) – all remote access sessions to the application or underlying infrastructure (AWS, Azure, GCP, IBM, Others) must be encrypted via FIPS 140-2 validated crypto modules.
    • Site-to-site replication – all site-to-site replication for disaster recovery must be encrypted via FIPS 140-2 validated crypto modules.
  • Data At Rest
    • All data at rest must be encrypted via FIPS 140-2 validated crypto modules.
  • Authentication
    • Authentication must meet the Digital Identity requirements as stipulated in NIST SP 800-63. This publication requires FIPS validated modules for multifactor authenticator (MFA) products.
    • Identity Management/Provider must be configured to operate in FIPS mode.

Before we dig too deep in the vendor pool (determining what products to procure) – let us think about where we apply the requirements within a standard architecture. Anywhere that cryptography is deployed, it must leverage FIPS 140-2 validated technologies. There are far more complex architectures out there, but we will start with a simple cloud architecture. Below we have highlighted potential areas where FIPS 140-2 validated controls would apply (at a minimum).

Summary

While the topic of FIPS and FedRAMP has put many people to sleep, it is an absolute critical step in your journey to FedRAMP authorization. Unfortunately, there have been many FedRAMP pursuits that have been abruptly halted due to non-compliance in this area. Make sure that you understand what type of cryptography you have employed within your FedRAMP architecture, where it is applied (at rest, in transit, authentication) and that you are using FIPS 140-2 validated technologies in the proper FIPS mode to meet the requirements.

This document is the first in a series of blog posts specifically targeting the complexities of FIPS and FedRAMP. Next, we will start showcasing different Infrastructure as a Services (IaaS) providers and look to provide practical customer use cases for easier understanding and industry adoption.