If you’re a defense contractor handling sensitive Department of Defense data, you need to understand the National Institute of Standards and Technology (NIST) FIPS 140-2 security standard.
 
The Federal Information Security Management Act (FISMA) dictates that U.S. government agencies, U.S. government contractors and third parties working for federal agencies are all required to use FIPS 140-2 to protect sensitive data. And the FIPS protocol ensures a unified standard to protect sensitive government data from increasingly sophisticated cyberattacks and threats.
 

But what is FIPS and why is it important? That is the purpose of this blog.

What is FIPS 140-2?

FIPS 140-2 was created by the National Institute of Standards (NIST) in 2001 for improving the security of computer and telecommunications systems in the government. FIPS 140-2 achieves this goal by providing a cryptographic-based security standard that must be met by a system protecting sensitive but unclassified data.
 

 
Today, FIPS 140-2 is the benchmark for effective cryptographic and is used by many government agencies as their standard for data protection. The Defense Industrial Base (DIB) relies on FIPS 140-2 because it represents a high standard of security..
 
And contractors handling Controlled Unclassified Information (CUI) must employ FIPS 140-2 compliant algorithms to protect the data per their NIST 800-171 requirements.

FIPS 140-2 Validation is Required for Meeting NIST 800-171

Any defense contractor handling CUI must meet the NIST 800-171 standard. NIST 800-171 is an essential part of both DFARS and CMMC 2.0 NIST requirements, which state that federal agencies must comply with FIPS and employ “cryptographic mechanisms” to protect the confidentiality of any CUI.
 
There are multiple controls within NIST that rely on FIPS. For example, 3.13.11 states that contractors must “employ FIPS-validated cryptography when [cryptography is] used to protect the confidentiality of CUI.”
 
Further controls also call upon FIPS.3.13.8 calls for the use of cryptographic mechanisms to protect CUI during transmission unless otherwise protected by alternative physical safeguards. 3.13.16 calls on FIPS for protecting CUI at rest.
 

 
FIPS is required regardless of whether the device handling CUI is mobile or a desktop. 3.1.19 for example calls upon FIPS when encrypting CUI on mobile devices and mobile computing platforms.
 
FIPS is always required to protect CUI. It doesn’t matter whether you’re looking at peripheral devices or endpoints. It doesn’t matter if the CUI involves files or individual documents, images or text. As a blanket rule, expect to need to meet FIPS.

Voluntary Assessments Underline Importance of Meeting FIPS 140-2

Recent Voluntary Assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and CMMC Third Party Assessment Organizations (C3PAOs) have further highlighted the importance of proper FIPS implementation.
 
At PreVeil’s recent CMMC Day 2022, CMMC Certified Provisional Assessor Jennifer Henderson noted that one of the most significant shortcomings in assessed organizations has been meeting the FIPS standard for protecting data, both at endpoints and on peripheral devices.
 

 
All contractors handling CUI will need to be assessed sooner or later. DIBCAC and C3PAOs will look for a certification of encryption for the device or software you are using, to ensure that they meet FIPS 140-2. Without proper documentation, you won’t be able to demonstrate compliance.

How to become FIPS 140-2 compliant

You can’t achieve FIPS 140-2 by simply checking boxes off of a list. To succeed in the validation process, both the strength of the algorithms themselves and their effective implementation are tested by NIST labs.
 
First, a NIST lab will test and evaluate the algorithms implemented in the vendor’s code. Those algorithms must use encryption methods certified by the Cryptographic Algorithm Validation Program (CAVP). Further, NIST will test to see if the algorithms are being used in the asserted ways. NIST will do an in-depth analysis, looking at such things as whether there’s sufficient randomness and entropy.
 
From there, the FIPS module will be tested from end-to-end through the Cryptographic Module Validation Program (CMVP). NIST will test and evaluate the cryptographic module from end to end, examining all functions of the module. Documentation will be thoroughly inspected, as well as the CAVP-certified algorithms that are used in the module itself. NIST will ensure that the approved algorithms are, in fact, the ones being used in the module. Once testing has been successfully completed, NIST will issue a CMVP certificate for the validated cryptographic module.
 

 
FIPS 140-2 validation is an intensive, rigorous process. The preparation for testing and the testing itself can take up to 18 months. At the end of the process, a vendor that has successfully passed validation will receive a certificate that can (and should) be provided to vendors.
 
A CMVP certificate, and this certificate alone, ensures that you have best in class security when it comes to the encryption standards your vendor provides. Here’s PreVeil’s – any trustworthy vendor will be willing to show you theirs, too.

How PreVeil Meets FIPS 140-2

To adopt FIPS 140-2 compliant algorithms, PreVeil has supplemented our encryption schemes. We have updated the algorithms for both our asymmetric as well as our symmetric encryption algorithms.
 
The three step process to be properly evaluated and validated by NIST for FIPS 140-2 compliance took over a year. This validation extends not just to the PreVeil encryption algorithms, but also includes all the details of the end-to-end cryptographic implementation.
 
Contractors are responsible for ensuring that their vendors meet the FIPS 140-2 standard for providing the highest level of cryptographic protection. Do not take a vendor’s word for it when it comes to security, because if things go sideways the buck stops with you. The only way to know that your vendors are up to code is to review their certification.
 
Ask to see PreVeil’s FIPS 140-2 validation. We’re happy to provide it.

Conclusion

As a government contractor, the ultimate responsibility for ensuring compliance lies with you. It is your responsibility to ensure that any software or hardware you use to handle CUI meets the critical security parameters set forth by FIPS 140-2. A reputable vendor will be able to provide you with validation of FIPS 140-2 for its algorithms. Keep this in your records, so you don’t expose yourself to undue liability.