Compliance

Federal Information Processing Standards (FIPS)

The Federal Information Processing Standards (FIPS) publications are guidelines that set best practices for software and hardware computer security products.

Why FIPS are important: In many situations, U.S. government agencies can only purchase FIPS-certified products. This is true for almost every federal agency, with the exception of the military and the CIA, which often have more extensive security practices. Many private companies are required by U.S. government regulation to use FIPS-certified products. For example, the Controlled Substances Ordering System (CSOS) regulations (regulations on electronic ordering of controlled substances) require FIPS standards for wholesale, health-care and pharmaceutical companies. Canada, Australia and several other European countries also require FIPS certification. Many private financial companies require FIPS-enabled products. ANSI and ISO are working through the process of adopting some FIPS publications. Some large companies are starting to take the approach that all security products must be FIPS-certified and that they are always used in FIPS mode.

What the National Institute of Science and Technology (NIST) is:
The FIPS publications are created by the National Institute of Science and Technology (NIST). NIST is a non-regulatory federal agency within the U.S. Department of Commerce with approximately 3,000 employees and an estimated annual budget of $771 million. NIST works with industry to develop and apply technology, measurements and standards.

What “FIPS Mode” means:
Products that support one or more FIPS standards can be set into a mode where the product only uses FIPS approved algorithms and methods. In other words, security toolkits typically support both FIPS approved and non-FIPS approved functions. In FIPS mode, the product is incapable of using any non-FIPS approved methods.

What FIPS Certification Programs are:
There is a formal certification program for FIPS. NIST and the Canadian government certify third-party labs. The labs then certify hardware and software products. What does it mean to be “FIPS Certified”? FIPS certification means that your product has been reviewed by a lab for compliance to FIPS 140-2 to at least Level 1 and your product supports at least one FIPS Certified Algorithm. The vast majority of FIPS Certifications are FIPS 140-2 Level I, which is the simplest of four levels. NIST has promised to update FIPS 140-x every five years. There are many supported algorithms, and the algorithm list is occasionally updated.

Products and FIPS Certification:
FIPS certification is applicable to the security modules of applications, i.e., any part of an application that employs cryptography. It is common for application software companies to embed or OEM a security module developed by a third party. So, the typical company that seeks FIPS certification is a company focused on delivery of product that provides cryptographic services.

Key FIPS Standards:

• 140-2 standard for Security Requirements for Cryptographic Modules
• 186-2 Digital Signature Standard RSA and DSA
• 180-1 Secure Hash Standard SHA-1
• 180-2 updated Secure Hash Standard SHA-1 plus SHA-256, SHA-384, SHA-512

Summary of the Federal Information Processing Standards:
FIPS can sound complicated, but essentially they state that a security product must itself be well designed and safe. The product has to

1. Protect its own keys
2. Provide for safe API’s
3. Be able to run self tests
4. Have a way to communicate its status
5. Allow for role-based authentication of users

Useful facts to know about FIPS:

• 140-2 dated Dec. 03, 2002, replaces 140-1 dated Jan. 11, 1994. You can no longer get certified for 140-1 just for 140-2
• 180-2 dated Aug. 1, 2002, is an update to 180-1 that simply adds three additional hash algorithms that employ larger key sizes. If you are compliant to 180-2, you also are considered compliant to 180-1.