Kelley to present a CLE webinar to Women in eDiscovery - Indianapolis Chapter on June 5 on the topic: Fabricating & Concealing Data on Smart Phones.

What is FIPS-140 validation and why is it important for NIST 800-171/CMMC?


What is FIPS-140 validation and why is it important for NIST 800-171/CMMC?

Author photo
Vestige Digital Investigations, Cybersecurity Specialist

FIPS 140-2 Validation – Security Requirements for Cryptographic Modules

The Federal Information Processing Standard (FIPS) 140-2 is the foundation for validating the sufficiency and effectiveness of cryptographic hardware. This is a requirement for any device that would process, transmit, or store Controlled Unclassified Information (CUI) when it comes to compliance with NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC). FIPS 140-2 specifies the security requirements for a cryptographic module, or algorithm that is utilized within any systems that would be protecting sensitive information (ie. CUI).

FIPS 140-2 Requirements and Levels

FIPS 140-2 keeps the same four levels of data security across the 11 requirement areas. Cryptographic Module Specification, Cryptographic Module Ports and Interfaces, Roles Services and Authentication, Finite State Module, Physical security, Operational environment, Cryptographic Key Management, EMI/EMC, Self-Tests, Design Assurance, Mitigation of other attacks. Most organizations comply with FIPS 140-2 Level 3 because it is secure, but not difficult to use because of the level of security. Levels one and two require the module to have production-grade equipment and tested algorithms. Levels three and four just add physical tamper-resistant and identity-based authentication. Level 4 for validation can get almost too secure when it comes to the validation, it is very hard to use a system that is compliant with level four due to the restraint all of the security causes. Level three is the happy medium that most of the validated modules tend to comply with. It has good physical and logical security practices that are not too strenuous to use when compliant.

Validated and Compliant, what is the Difference

When it comes to FIPS 140-2 there are “validated” and “compliant” modules. FIPS 140-2 Validated items means that the cryptographic module or product that embeds the module has been validated ‘certified’ by the Cryptographic Module Validation Program (CMPV). FIPS 140-2 compliant is an industry term for products that need validated products for functionality. Concerning NIST 800-171 and CMMC you want to make sure that the product itself or the embedded technology is validated. One way that you can do this is by going to the NIST cryptographic module validation program on the NIST website as well as the cryptographic algorithm validation program (CAVP) to check on the embedded algorithms.

Embedded Technologies

For FIPS compliance you can use approved algorithms rather than a validated module itself. There are many software providers out there that do not have the module validated but use validated algorithms. Typically, the provider will have one or two validated modules that can be viewed on the CMVP. But, if you look at the algorithms in use and search for those in the CAVP you may see that they have more options for viewing whatever technology that you are looking for. For CMMC and FIPS 140-2 as a whole, embedded validated algorithms can pass an audit even if the module itself is not validated. So, ensure that when viewing the CAVP and CMVP you also look at the algorithms in use, so that you can view other available options.

FIPS 140-2 as it Pertains to CMMC

When it comes to CMMC and NIST 800-171 if a control states “protect the confidentiality” of information or other systems. That is typically a sign that something needs to be FIPS 140-2 validated. CMMC level 1 does not include a FIPS requirement for cryptography. When you look at CMMC level 2 however, SC. L2-3.13.11 has one assessment objective that states “FIPS-validated cryptography is employed to protect the confidentiality of CUI.” This means that CUI that is at rest, being processed, or transmitted, needs to have the FIPS 140-2 validated measures implemented. During the initial scoping process for CMMC, you will be able to tell what the FIPS requirement is through a CUI movement register. This document will help you map how CUI travels within your organization and will help you get a better understanding of what needs to meet the FIPS standards.

The Future of FIPS 140-2

FIPS 140-3 will supersede FIPS 140-2, this was approved in March of 2019 and became effective in September of the same year. There is a lengthy process for transitioning to FIPS 140-3 and it can get quite expensive for the companies that want to achieve the certification. In September of 2026, all FIPS 140-2 certificates will be placed on the historical list, meaning that FIPS 140-3 will be fully implemented. As of September 22, 2021, that was the last day that companies could get their modules FIPS 140-2 validated. Now FIPS 140-3 is what the companies will be validated for, there are some differences between 140-2 and 140-3 but there are not that many changes. There are lots of comments from the CMMC public comment period regarding whether FIPS should be a requirement. So, when the CMMC final rule drops there is a chance that the FIPS requirement could be taken out of the CMMC requirements. Though it is a small chance, just as anything could be changed because noting has been set in stone.

If you have questions or would like more information, we’re Cybersecurity Experts at Vestige.  Visit our CMMC Solutions page to learn more, or CONTACT US. We’re happy to help.