Defense contractors handling sensitive Department of Defense (DoD) data must comply with the National Institute of Standards and Technology (NIST) FIPS 140-2 security standard.
 
The Federal Information Security Management Act (FISMA) dictates that U.S. government agencies, U.S. government contractors, and third parties working for federal agencies are all required to use FIPS 140-2 to protect sensitive data.
 
The FIPS protocol ensures a unified standard to protect sensitive government data from increasingly sophisticated cyberattacks and threats. But what is FIPS and why is it important?

What is FIPS 140-2?

The National Institute of Standards (NIST) created FIPS 140-2 in 2001 as a successor to FIPS 140-1 with the goal of improving the security of computer and telecommunications systems in the government. The regulation sets a cryptographic-based security standard for systems protecting sensitive but unclassified data.
 

FiPS 140-2 was issued as a standard in 2001 as a successor to FIPS 140-1 which also addresses security requirements for cryptographic modules.

 
Today, FIPS 140-2 is the benchmark for effective cryptography and is used by many government agencies. The Defense Industrial Base (DIB) relies on FIPS 140-2 because it represents a high standard of security. Its cryptographic standard is invoked by a number of other regulations.

FIPS 140-2 Validation is Required for Meeting NIST 800-171

Any defense contractor handling Controlled Unclassified Information (CUI) must meet NIST 800-171. NIST 800-171 is an essential part of both DFARS 252.204-7012 and CMMC 2.0. It states that federal agencies must comply with FIPS and employ “cryptographic mechanisms” to protect the confidentiality of any CUI.
 
There are multiple controls within NIST 800-171 that rely on FIPS. For example, 3.13.11 states that contractors must “employ FIPS-validated cryptography when [cryptography is] used to protect the confidentiality of CUI.”
 
Further controls also call upon FIPS. 3.13.8 calls for the use of cryptographic mechanisms to protect CUI during transmission unless otherwise protected by alternative physical safeguards. 3.13.16 calls on FIPS for protecting CUI at rest.
 

FIPS is required regardless of whether the device handling CUI is a desktop or a mobile device.

 
FIPS is always required to protect CUI. It doesn’t matter if you’re looking at a desktop or a mobile device. It doesn’t matter if you’re looking at peripheral devices or endpoints. It doesn’t matter if the CUI involves files or individual documents, images or text. As a blanket rule, expect to need to meet FIPS.

Voluntary Assessments Underline Importance of Meeting FIPS 140-2

Recent Voluntary Assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and CMMC Third Party Assessment Organizations (C3PAOs) have further highlighted the importance of proper FIPS 140-2 implementation. Many organizations struggle to meet the FIPS standard for protection of CUI (Controlled Unclassified Information) on devices and endpoints. Per the NIST 800-171 standard, CUI has to be secured at rest and in transit with FIPS 140-2 validated algorithms.
 
In order to meet the FIPS standard, the vendors you use for your devices and software must be FIPS certified. As part of your assessment DIBCAC and C3PAOs will look for a certification of encryption for the device or software you are using, to ensure that your vendor meets FIPS 140-2. Without proper documentation, you won’t be able to demonstrate compliance.

How to tell if it’s real FIPS 140-2

The easiest way to determine if your vendor is FIPS 140-2 certified is to check the NIST website. If a company’s name appears in NIST’s Cryptographic Module Validation Program (CMVP), they have been vetted by NIST and you should feel comfortable using the vendor’s technology.
 
Achieving the NIST standard is no easy feat. Vendors can take up to 18 months to complete the necessary three-step program. Each step must be done in order and cannot be begun until the previous one is completed.
 
To pass, vendors must:
 

  1. Document all cryptographic methods and algorithms implemented against the NIST standard. Any gaps in the vendor’s implementation must be filled either by creating necessary code or documentation.
  2. Participate in the NIST Cryptographic Algorithm Validation Program (CAVP) where a NIST lab tests and evaluates the algorithms implemented in the vendor’s code. Each algorithm that passes will receive a CAVP certificate from NIST.
  3. Have NIST test and evaluate the cryptographic module from end to end including the documentation and the CAVP-certified algorithms that are used in the module itself. When the testing is complete and approved, NIST issues a CMVP certificate for the validated cryptographic module.

Only after this third step can a vendor truthfully claim that they are using FIPS 140-2 validated cryptographic methods and algorithms.

What about “FIPS Inside”

Some vendors will state they comply with FIPS 140-2 standard without undergoing certification. They will promote what is commonly called a ‘FIPS Inside’ justification which means they implement FIPS-approved crypto libraries or use FIPS-approved algorithms in their solutions but their implementation has never been vetted by NIST itself.
 
While it’s possible to meet the NIST standard for FIPS without having NIST evaluate the entire process, it’s very tricky to determine the implementation’s validity. A contractor would have to examine numerous details of a vendor’s code and ensure all algorithms and modules are meeting the FIPS 140-2 requirements.
 
In addition, the contractor would need to validate methods that are frequently invisible to contractors such as self-tests, service access controls, error handling, entropy tests, and many other features beyond the encryption algorithms themselves. This testing is not easy to do.
 
Be wary of vendors who self-attest to meeting the FIPS 140-2 standard. It will be very tricky to determine the statement’s veracity.
 
A CMVP certificate, and this certificate alone, ensures that you have best in class security when it comes to the encryption standards your vendor provides. Here’s PreVeil’s – any trustworthy vendor will be willing to show you theirs, too.

Conclusion

As a government contractor, the ultimate responsibility for ensuring compliance lies with you. It is your responsibility to ensure that any software or hardware you use to handle CUI meets the critical security parameters set forth by FIPS 140-2.
 
A reputable vendor will be able to provide you with validation of FIPS 140-2 for its algorithms. Keep this in your records, so you don’t expose yourself to undue liability.