Defense contractors looking to comply with NIST 800-171 know they need to protect all Controlled Unclassified Information (CUI) both at rest and in transit with FIPS 140-2 validated encryption. And this requirement can extend to not just CUI in contracts but also to all the technology and services they use. Given that CUI represents sensitive defense information, contractors should realize the importance of properly using FIPS 140-2 encryption algorithms, which are the benchmark for effective cryptographic hardware and software. Importantly, contractors need to know how to determine if their vendors have properly implemented FIPS 140-2 algorithms.
The easiest way to determine if your vendor is FIPS 140-2 certified is to check the NIST website. If a company’s name appears in NIST’s Cryptographic Module Validation Program (CMVP), they have been vetted by NIST and you should feel comfortable using the vendor’s technology.
Achieving the NIST standard is no easy feat. Vendors can take up to 18 months to complete the necessary three-step program where each step must be done in order and cannot be started until the previous one is completed. To pass, vendors must:
Only after this third step can a vendor truthfully claim that they are using FIPS 140-2 validated cryptographic methods and algorithms.
Some vendors will state they comply with FIPS 140-2 standard without undergoing certification. They will promote what is commonly called a ‘FIPS Inside’ justification which means they implement FIPS-approved crypto libraries or use FIPS-approved algorithms in their solutions but their implementation has never been vetted by NIST itself.
While it’s possible to meet the NIST standard for FIPS without having NIST evaluate the entire process, it’s very tricky to determine the implementation’s validity. A contractor would have to examine numerous details of a vendor’s code and ensure all algorithms and modules are meeting the FIPS 140-2 requirements.
In addition, the contractor would need to validate methods that are frequently invisible to contractors such as self-tests, service access controls, error handling, entropy tests, and many other features beyond the encryption algorithms themselves. And this testing is not easy to do.
Best advice is to be wary of vendors whose claim to meeting the FIPS 140-2 standard is based on self-attestation as its very tricky to determine the statement’s accuracy.
If a vendor has been verified for use of FIPS 140-2 algorithms and the module that uses them, they have met a very high bar for their cryptography. At PreVeil, for example, it took us over a year to accomplish the three steps required to become properly evaluated and validated by NIST and ensure we meet FIPS 140-2 requirements. For PreVeil, the validation extends not just to the PreVeil encryption algorithms, but also includes all the details of the end-to-end cryptographic implementation.
Contractors should be confident that vendors meeting the FIPS 140-2 standard are providing the highest level of cryptographic methods and algorithms.
The benefit to customers of relying on vendors who use FIPS 140-2 validated cryptography is evident. But additional benefits are also ensured because by relying on the NIST standard, contractors can be assured that vendors are constantly reviewing and updating their cryptographic system in accordance with NIST requirements. The FIPS 140-2 standard ensures contractors CUI is protected not just today, but in the many years to come.