One of the most secure ways to protect data is to use encryption systems. However, there are no standards to govern data encryption systems and the algorithms they use to turn plain text into encrypted data.
That’s why organizations in the private sector simply choose the data encryption system that works best for them. However, to ensure a standardized system across all their departments and agencies, the U.S federal government has set standards for the encryption systems they use.
It’s called FIPS.
What Is FIPS?
The Federal Information Processing Standards (FIPS) are standards developed by the National Institute of Standards and Technology’s (NIST) Computer Security Division. These standards describe document processing, encryption systems, and other IT standards to be used within non-military government agencies. Government contractors are also expected to adhere to FIPS.
What Is FIPS 140-2?
FIPS 140-2 is the standard used by the United States government to validate the fact that cryptographic modules and solutions (hardware and software) produced by private sector companies meet the NIST standards and adhere to the Federal Information Security Management Act of 2002 (FISMA).
The FIPS 140-2 encryption standard defines four levels, which are:
Level 1: Requires that production-grade equipment and externally tested algorithms be used.
Level 2: Requires physical tamper-evidence and role-based authentication for hardware. Software is required to run on an Operating System (OS) approved to Common Criteria (CC) at Evaluation Assurance Level 2 (EAL2).
Level 3: Hardware must feature physical tamper-resistance and identity-based authentication. There must also be a physical or logical separation between the interfaces through which critical security parameters (CSPs) enter and leave the module. Furthermore, private keys can only enter or leave the module in an encrypted form.
Level 4: This is the highest level. It requires hardware to be tamper-active. This means it must erase the device’s contents upon detecting any changes in the module’s normal operational conditions.
Most organizations need, and therefore specify, FIPS 140-2 Level 3 certification equipment to ensure robust data protection. This level offers the best balance and compromise between effective security and operational convenience.
Let’s quickly take a more in-depth look at what it takes to qualify for FIPS 140-2 Level 3 compliance.
What Does It Take to Qualify for FIPS 140-2 Level 3?
For a cryptographic module to meet Level 3 of the FIPS 140-2 standards, it must be tested and meet FIPS 140-2 standards on four levels.
This includes physical security mechanisms designed to detect and prevent intruders from accessing the CSPs within the cryptographic module. The mechanism must react to attempts at unauthorized access or use of the cryptographic module by automatically erasing plaintext (CSPs) within the module.
This is a step ahead of the role-based authentication required in Level 2. For Level 3 compliance, it’s the user’s identity that must be authenticated. A simple example is that of a network requiring specific user logins as opposed to role-based logins.
Physical or Logical Separation
The input and output of plaintext CSPs must be performed using ports which are physically separated from other ports. Similarly, in a virtual environment, the interfaces are to be logically separated.
Plaintext CSPs may only be input or output from the cryptographic module in an encrypted format.
Operating System Requirements
FIPS 140-2 Level 3 allows for a cryptographic module to be executed on a general-purpose PC as long as its operating system meets the minimum requirements. This must also include a CC evaluation assurance of level EAL3 or higher.
Why All This Fuss?
What’s all the fuss about meeting all these requirements?
With increasing risks associated with data use and storage, everyone must take stringent measures to ensure that sensitive information is kept safe from malicious agents. This is why the federal government and other sectors that deal with sensitive information (such as finance and health) require FIPS 140-2 compliance. It ensures the proper encryption and protection of data.
Compliance should be on top of your list as an organization, and we can help you meet the requirements needed. From data encryption software to encrypted storage devices, we provide rigorously tested, FIPS 140-2 Level 3 compliant solutions. Give us a call at 818-773-8989, and let’s talk compliance.