One look at the headlines is all it takes to see why security is at the forefront of every IT team’s mind. Hacks, data theft—you name it; some of the largest corporations have succumbed to these pitfalls over the past few years, and there’s no end in sight. It's no wonder that organizations are scrambling to maintain security regulation compliance with so many threats around the corner.
But while HIPAA, GDPR, and PCI SOX get plenty of attention, it’s also important to keep an eye on some of the lesser-known accreditation programs.
The FIPS 140-2 standard is an information technology security accreditation program for cryptographic modules produced by private sector vendors looking to have their products certified for use in US government departments and regulated industries such as healthcare and finance. Okay, that got a little jargon-y... to put it in plain English, FIPS 140-2 is an encryption standard. The standard was first published in 2001 by the United States National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce. The current plan within NIST is to completely skip FIPS 140-3 and move to FIPS 140-4. This will essentially be a wrapper around the ISO standard. Currently, there is no schedule published for the adoption of FIPS 140-4. Here's the important part: FIPS is required by the military and all of its vendors who deal with sensitive national security information on a daily basis, as well as government vendors who need privacy in regards to personal and financial information.
Outside of the government and military, the standard still finds relevance in companies that aren't held to the same compliance standards as those environments mentioned above. FIPS validation involves intensive testing to determine flaws. Below, we take a look at FIPS 140-2 validation and the steps that both vendors and buyers must go through to remain compliant.
What Does FIPS 140-2 Validation Require?
In situations and environments where security is paramount, a FIPS compliant data-transmitting application must meet a couple of requirements:
1) Each Application must use algorithms and hash functions approved by FIPS 140-2.
2) Each application must be validated by the Cryptographic Module Validation Program CMVP testing process. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).
As mentioned earlier, if a solution is to meet FIPS validation, it must use cryptographic algorithms and hash functions. Three examples of this include Advanced Encryption Standard, Triple DES, and HMAC SHA-1. AES is an algorithm that has proven to be stronger than Triple DES when using greater key strength. Triple DES is a variant of IBM's 56-bit DES encryption that uses three keys for a total of 168-bit strength. HMAC SHA-1 is a hash function designed by the National Security Agency that authenticates messages and is deployed in combination with a secret key. It's important to keep in mind that FIPS will not approve of applications using certain algorithms including the original 56-bit DES encryption which is considered too weak for modern day use.
While a number of solutions claim to be compliant with FIPS, buyers may not be getting the full story. Being fully compliant with FIPS means not only meeting FIPS requirements but also being FIPS validated. To become FIPS validated, detailed documentation and source code must be sent to NIST's testing laboratory, a process which typically takes 6-9 months on average. Creating FIPS validated solutions, it takes more than just using approved algorithms but also offering well documented, engineered, and tested software. The software is not only tested, it's thoroughly checked for security vulnerabilities, predictable number generation, and reckless disposal of keys. It's critical that IT teams understand that in file transfer software, client and server applications must both be validated.
FIPS 140-2 Security Levels
The different levels within the standard provide different levels of security, and in the higher levels, have different documentation requirements. Each level successively builds on the previous. Below are the levels of security within FIPS compliance.
Level 1: This is the lowest level of security in FIPS. Level 1 means no physical security mechanisms are required in the module aside from the requirement for production-grade equipment.
Level 2: This includes tamper evident security of pick resistant locks. This level provides for role-based authentication and allows for software cryptography in multi-user time-shared systems when used in conjunction with a C2 or another equivalent operating system.
Level 3: This security level offers identity-based authentication and physical security.
Level 4: In Level 4, physical security offers an envelope an envelope of protection around the cryptographic module. This level also protects against fluctuations in the production environment.
Preparing for FIPS Validation
As I’m sure I’ve made clear, FIPS validation isn’t an overnight last minute process; this is something that takes time and preparation. It’s important to note that FIPS 140-2 validation testing doesn’t require that the full product receive validation testing. Cryptographic testing is irrelevant for any product features not within the encryption module itself. Below are a few steps for preparing a product for FIPS validation.
Plan - Establish a validation gameplan. Assemble a team to ensure the validation process moves smoothly. Consider how the process will affect other projects and how to present the documentation needed for validation,
Assess - To ease the validation process, make the necessary changes required before submitting. Assess your software for any shortcomings.
Budget - Understand the costs associated with FIPS validation. You should prepare a budget for FIPS testing fees well in advance.
Ipswitch and FIPS Validation
Ipswitch’s WS_FTP Server, MOVEit Central, and MOVEit File Transfer deliver a set of FIPS-validated solutions that meets or exceeds FIPS 140-2 standards. A FIPS validation is difficult to obtain, but it is a necessity for many government agencies and the military, as well as many vendors who regularly deal with those entities. Additionally, FIPS’s lengthy and rigorous testing process is an excellent quality indicator for other parties looking for a secure file transfer solution.
With WS_FTP Server’s long history of secure file transfer and MOVEit’s track record of a successful FIPS solution, Ipswitch File Transfer’s products are a thoroughly dependable component of any organization’s file transfer solution—both for organizations requiring FIPS and organizations that do not.