What Is FIPS 140-2 & Why Does It Matter?

Share and earn Cybytes
Facebook Twitter LinkedIn Email

(Editor’s Note: Ray Potter, the blog’s author, is the CEO and Co-founder of Safe Logic.)

Carbon Black has just announced the successful FIPS 140-2 validation of their Carbon Black Cryptographic Module and availability within their Cb Response and Cb Protection products. Our team at SafeLogic is extremely proud to power that effort and in the spirit of our partnership, I’m here to explain what FIPS 140-2 is and why it’s a big deal.

In 1995, NIST (the U.S. National Institute of Standards and Technology) and their Canadian counterpart CSE (Communications Security Establishment) teamed up to establish the mechanisms for testing and certifying that the FIPS 140 benchmark had been met. NIST and CSE employees staff the CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program), which cooperate with independent third party testing labs. While the labs conduct functional testing, it is the CMVP that ultimately reviews the results and issues the FIPS 140 validation. This formalized the process into the certification system we know today.

FIPS 140 was written as a requirements document for encryption with the goal to standardize a minimum strength level for the cryptography used in all Sensitive But Unclassified (SBU) federal operating environments. With so much riding on the enforcement of these minimums, the importance of the CMVP’s role cannot be understated.

While there are four available levels in the FIPS 140 program, many confuse the “dash two” designation as an indication of a Level 2 validation. To be accurate, FIPS 140-2 is simply the second iteration (hence the -2 suffix) of the encryption benchmark. Industry insiders have long joked that it’s been so long between updates that the next version will have to be FIPS 140-4.

Another common misconception surrounding the four levels is that they are a linear progression. In reality, it is a checkbox – either the cryptographic module has been validated and certified to meet the standard, or it hasn’t been. The levels represent requirements for different types of technology, not a gradient. Modules do not receive A+ or B- grades, they simply get a thumbs up or a thumbs down for the applicable validation level. Software modules are validated for Level 1, while hardware typically validates at Level 2 after meeting physical requirements. Levels 3 and 4 are relatively rare validations, demanding additional expensive hardware features without significant value added for the end user.

FIPS 140-2 has become ubiquitous outside the government as well. It has been adopted as a building block validation by most technology whitelisting programs in regulated industries like finance, healthcare, legal, and utilities. This was as intended by NIST. As a clearinghouse for the public and private sectors, recommendations such as Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, has become the top reference document for many other programs. SP 800-53 directs FIPS 140-2 validated encryption to be deployed for all cryptographic functions, creating a transitive requirement. As a result, programs such as FedRAMP, FISMA, DoDIN APL, Common Criteria, HIPAA and HITECH healthcare regulations inherit the dependency on FIPS 140-2 validation.

Note that FIPS 140-2 does not demand that the entire product receive validation. In fact, cryptographic testing is irrelevant for product features outside of the encryption module itself and can create undue complication in the validation process. The Carbon Black Cryptographic Module exemplifies the modern strategy that we support at SafeLogic.

By focusing the validation boundaries on the only technology relevant to FIPS 140-2 testing, the result is a well-honed software module that can be integrated within other Carbon Black products. Revalidation is rare and the process is accelerated, meaning that the latest, cutting edge solutions from Carbon Black can be deployed immediately upon release into federal environments. This is a significant win for the government and we’re happy to be part of it.

The post What Is FIPS 140-2 & Why Does It Matter? appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?