Federal agencies purchasing cryptographic-based security systems must confirm an associated FIPS 140-2 certificate exists. This procurement “check-box” item is a deal-breaker. Vendor claims of “designed for FIPS” or “FIPS ready” are not sufficient to pass this hurdle. There is an advantage in selecting a product with a FIPS 140-2 certificate over a solution that has not undergone the rigorous approval process.
No FIPS certificate = No sale
FIPS 140-2 overview
The Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Testing against the FIPS 140-2 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment (CSE) of Canada.
The current version of the standard, FIPS 140-2, has security requirements covering 11 areas related to the design and implementation of a cryptographic module. Each module has its own security policy — a precise specification of the security rules under which it operates — and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. For each area, a cryptographic module receives a security level rating 1 to 4 (from lowest to highest) depending on the requirements met. Validation against the FIPS 140-2 standard is required for all U.S. federal government agencies that use cryptography-based security systems — hardware, firmware, software, or a combination — to protect sensitive but unclassified information stored digitally. NIST publishes a searchable list of vendors and their cryptographic modules validated for FIPS 140-2.
Innovation in Next Generation Encryption
Cisco and FIPS 140-2
Cisco is a leader in securing Federal Information Processing Standard (FIPS) 140 validations. We are dedicated to information assurance and complying with standards for both product depth and breadth. FIPS 140 is a U.S. government standard that specifies security requirements for cryptographic modules. A cryptographic module is defined as “the set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.” The cryptographic module is what is being validated.
Cisco Global Certification and Common Security Modules have been implemented as an innovative approach to expedite FIPS certifications. They developed a crypto module that is already FIPS-validated and can be embedded in Cisco products. Because the crypto module is already FIPS-validated, the Cisco product can claim compliance to FIPS 140. The compliance process verifies that the Cisco product has implemented cryptography according to standards and all applications that use cryptography do so correctly. These solutions include, but are not limited to:
Cisco Unified Communications Manager and Session Management EditionCisco Wireless (embedded wireless)Cisco WaveAnyConnect (Windows, Android, iOS)ASR 901, 902, 903, 920, 1000 Series XE Catalyst Embedded Wireless Controller on AP_IOS XE Cisco Collaboration Endpoint SoftwareCER (Emergency Responder)CGR 2010 Series Connected Grid Routers running IOS Cisco Integrated Management Controller Express(CIMC)Cisco (XE and SDWAN modes)Cisco Action Orchestrator (AO) within Cloud Center Suite Cisco CAaaS Cisco Cloud Services Router (CSR) 1000v Series running XE 17.3 (XE and SDWAN modes)Cisco Email Security Appliance (ESA) running ESA 13.0.xCisco Emergency Responder v.14Cisco Firepower 7K, 8K, and AMP Series Appliances Cisco Intersight 1.0Cisco Meeting Server (CMS) Cisco UCCX on 12.5Cisco Unity Connection v.14Cisco Web Security Appliance (WSA) Cisco WebEx Meeting Server (CWMS) Cisco Wireless Wave 2 and IoT APsCisco ASA Series Security AppliancesCMS(Cisco Meeting Server, formerly Acano Server)CUBE on CSR 1000V running IOS XE (+Unified Border Element, Cloud Services Router)CUC (Cisco Unity Connection)CUCM (Unified Communications Manager)Cisco Emergency Responder Firepower Management Center (FMC) HyperFlex running Cisco IoT IE2000, IE4000, IE5000, CGS2520 running IOS ISE (Identity Services Engine) Jabber [Android 9, iPhone/iPad 12, Windows 10]Meraki MR – SW Nexus 3000,4000,5000,6000, 7000, 9000 Series Switches running NX-OSSmart Software Manager satellite (SSMsat) Stealthwatch Unified Communications Manager (CUCM)Web Security Appliance (WSA)Cisco® Implementing and Operating Cisco® Security Core Technologies (SCOR)Cisco® SD-WAN Solutions (SDWAN)Cisco® Administering Cisco® Unified Communications Manager and Unity Connection (ACUCM with AUC)Introduction to Cisco 5G Solutions (5GINT)Microsoft and FIPS 140-2
Microsoft maintains an active commitment to meeting the FIPS 140-2 requirements, having validated cryptographic modules since the standard’s inception in 2001. Microsoft certifies the cryptographic modules used in Microsoft products with each new release of the Windows operating system. For technical information on Microsoft Windows cryptographic modules, the security policy for each module and the catalog of CMVP certificate details. While the current CMVP FIPS 140-2 implementation guidance precludes a FIPS 140-2 validation for a cloud service, cloud service providers can obtain and operate FIPS 140-2 validated cryptographic modules for the computing elements that comprise their cloud services. Azure is built with a combination of hardware, commercially available operating systems (Linux and Windows), and Azure-specific version of Windows. Through the MicrosoftSecurity Development Lifecycle(SDL), all Azure services use FIPS 140-2 approved algorithms for data security because the operating system uses FIPS 140-2 approved algorithms while operating at a hyper scale cloud. Moreover, Azure customers can store their own cryptographic keys and other secrets in FIPS 140-2 validated hardware security modules (HSM). While the current CMVP FIPS 140-2 implementation guidance precludes a FIPS 140-2 validation for a cloud service itself; cloud service providers can choose to obtain and operate FIPS 140 validated cryptographic modules for the computing elements that comprise their cloud service. These solutions include, but are not limited to:
Azure and Azure GovernmentDynamics 365 and Dynamics 365 GovernmentOffice 365, Office 365 U.S. Government, and Office 365 U.S. Government DefenseWindows Server Microsoft Dynamics CRM Microsoft SQL Server Microsoft Windows 10Microsoft Windows 10 Mobile Microsoft Windows Server Windows Server 2019Microsoft Azure Data Box EdgeBitlockerVMWare and FIPS 140-2
VMware has validated various cryptographic modules against the FIPS 140-2 standard. The FIPS 140-2 standard specifies and validates the cryptographic and operational requirements for the modules within security systems that protect sensitive information. These modules employ NIST-Approved security functions such as cryptographic algorithms, key sizes, key management and authentication techniques.
These solutions include, but are not limited to:
VMware’s VPN VMware’s OpenSSL VMware’s IKE VMware’s LinuxVMware BC-FJA (Bouncy Castle FIPS Java APIVMware VMkernelVMware AirWatchVMware Horizon JCEVMware vCenter ServerVMware VsphereVMware View™VMware ACE Red Hat and FIPS 140-2
Historically, software operating on a FIPS 140-2 certified system did not automatically inherit the sophisticated cryptography certifications of the base operating system. With this certification, Red Hat becomes the first in the industry to provide assurance that its integrated solutions that incorporate Red Hat Enterprise Linux will retain the FIPS 140-2 certification. These solutions include, but are not limited to:
Red Hat Ceph StorageRed Hat CloudFormsRed Hat Enterprise Linux Atomic HostRed Hat Gluster StorageRed Hat OpenShift Container PlatformRed Hat OpenStack PlatformRed Hat VirtualizationRed Hat Enterprise Linux The certified modules retain FIPS 140-2 certification on these hardware configurations:
Dell PowerEdge R630with Processor Algorithm Accelerators (PAA)Dell PowerEdge R630without PAAWhat are FIPS 140-2 and FIPS 140-3?
Federal Information Processing Standards (FIPS) 140-2 is a mandatory standard for the protection of sensitive or valuable data within Federal systems. FIPS 140-3 is an incremental advancement of FIPS 140-2, which now standardizes on the ISO 19790:2012 and ISO 24759:2017 specifications. Historically, ISO 19790 was based on FIPS 140-2, but has continued to advance since that time. FIPS 140-3 will now point back to ISO 19790 for security requirements. Keeping FIPS 140-3 as a separate standard will still allow NIST to mandate additional requirements on top of what the ISO standard contains when needed.
Among the changes for FIPS 140-3 are conditional algorithm self-tests, where the algorithm self-tests are only performed if used. The pre-operational self-test is now faster, as all the algorithms are not tested until needed. This helps with startup times as the public key self-testing can be time consuming. The “self-tests” can be run at appropriate times for your application startup. Also, there is additional testing of the DRBG entropy sources. WolfSSL is working hard with our lab to make WolfCrypt be the first cryptography library to have FIPS 140-3 validation. WolfCrypt has been listed on the CMVP IUT List for FIPS 140-3! They are currently working with our testing lab to get validated as quickly as possible with the new FIPS standard from the NIST. WolfSSL is the first software library on the FIPS 140-3 IUT list for embedded development.