FIPS 140-2 and CMMC Compliance

Home / Access Control / FIPS 140-2 and CMMC Compliance
Access Control, Encryption
July 29, 2024August 2, 2024By 2 likes
FIPS 140-2 and CMMC Compliance

What is FIPS 140-2?

Federal Information Processing Standards Publication 140-2 is a standard for the cryptographic modules used in software and hardware to protect sensitive data. The key difference between FIPS-validated modules and others is the rigorous testing and verification process they undergo. This process can take years, ensuring these modules meet strict security protocols. The result is a reduced risk of security breaches and a consistent level of protection for cryptographic modules. This gives the government confidence in the products they use to safeguard their data.

Those who have been chin deep in CMMC for a while are quite familiar with NIST 800-171 requirement 3.13.11, which calls for FIPS-validated cryptography to protect the confidentiality of Controlled Unclassified Information (CUI).Encryption is a recurring theme in CMMC practices, but not all encryption scenarios need FIPS-approved modules. Whaaaaaat?

CMMC Level 2 has various encryption requirements like:

3.1.13 Protecting remote access sessions (VPNs)

3.1.17 Securing wireless communications

3.8.9 Protecting backups

Non-FIPS encryption can handle these tasks if CUI isn’t involved. FIPS 140-2 validation is mandatory only when CUI confidentiality is directly protected by the module.

Understanding when FIPS validation is and isn’t necessary can help you avoid unnecessary costs and complexities.

Double Encryption

If CUI is already safeguarded by a layer of FIPS-validated encryption, double encryption (like double rainbows) with another FIPS-validated module is not necessary. For example, if a FIPS-validated web session with a cloud service is established (think GCC High, TLS 1.2), the underlying wireless network transmitting the data would not necessarily need FIPS validation. It would require FIPS validated modules if the CUI wasn’t already FIPS encrypted.

It is also possible to use physical security measures in place of encryption to protect Controlled Unclassified Information (CUI) in specific situations. NIST 800-171 explicitly permits the use of physical safeguards as alternatives to FIPS 140-2 validated cryptography for several requirements. First, let’s look at some of the characteristics of a physically secure location.

Physically Secure Locations

What is a physically secure location? Well, if you have NIST 800-171 implemented correctly, it’s everything within your physical boundary. It may also be a physical data center holding back ups or FedRAMP cloud data centers. A physically secure location would meet the physical security requirements required by the 800-171 PE domain.

Ensuring that a location is physically secure involves multiple layers of defense to protect critical assets from various threats. Strategically placed entry/exit points with badge readers, keycards, and/or security guards verify credentials, making sure that only authorized personnel gain access and their access is logged.

Positioning system components strategically within the facility minimizes risks from physical threats like terrorism or vandalism, and environmental hazards such as tornadoes, earthquakes, floods, and fires.

Here are aspects contributing to a physically secure location:

  • Controlled Areas
  • Physical Barriers
  • Controlled Entry and Exit Points
  • Screening Measures
  • Continuous Monitoring

FedRAMP authorized clouds are considered physically secure (Amazon, Microsoft, Google data centers, etc.).

Physical safeguards can be alternatives to FIPS 140-2 validation:

There are several practices that allow physical security as an alternative to encryption:

  • Transporting Digital Media (3.8.6): Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport OR protect by alternative physical safeguards. 
  • Backup Storage Locations (3.8.9): Store backup CUI in physically protected environments or employ FIPS-validated cryptography.
  • Transmission of CUI (3.13.8): Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission OR protected by alternative physical safeguards. 

The goal is to ensure CUI confidentiality, whether through cryptography or physical protection. It’s important to remember that physical security is not always a suitable replacement for encryption. The decision of whether to use physical security or encryption should be based on a risk assessment that considers the sensitivity of the information, the cost of implementing the safeguards, and the likelihood of a security breach. In some cases, a combination of physical security and encryption may be the most appropriate solution. For example, an organization might choose to store encrypted backups of CUI in a physically secure location. This would provide layered protection, making it more difficult for an attacker to gain access to the information. The strategy you take should be based on a risk assessment. Talk to an expert for help!

Practical Scenarios

  • Mobile Devices: If employees use mobile devices to store or transmit CUI, the encryption must be FIPS 140-2 validated. However, if these devices use FIPS-validated encryption through a secure app, the MDM software itself may not need FIPS validation. CUI has to be encrypted with a FIPS validated module one way or another.
  • Local Network Transfers: If CUI is transferred on a local network using secure protocols like SFTP, the cryptographic modules must be FIPS 140-2 validated. However, if the transfer occurs between 2 computers connected with a network cable in a highly secure environment, physical security might suffice if the information does not leave the building.
  • Cloud Storage: When storing CUI in cloud services like Google Drive or Microsoft OneDrive, ensure the service provider is FedRAMP certified at a moderate or high level, which includes FIPS 140-2 compliance. This means you might not need additional FIPS-validated encryption.
  • Remote Access with VPN: If a VPN protects CUI during remote access, it must use FIPS 140-2 validated modules. However, if the remote access is secured through another FIPS-validated method, (such as TLS 1.2), the VPN doesn’t need to be FIPS validated, FIPS encryption is already applied.
  • File Sharing with External Partners: The file-sharing service must use FIPS-validated encryption to protect CUI during transmission and storage. If the service is FedRAMP moderate or high (think Sharepoint), additional FIPS-validated encryption may not be necessary.
  • Secure Printing: If printing CUI using a network printer, ensure the data is encrypted with FIPS 140-2 validated methods. If the printer is connected to the local network within a secure environment, physical security might be enough.
  • NAS Storage: If CUI is stored on a NAS device, the encryption must be FIPS 140-2 validated unless the device is in a physically secure location.

Achieving FIPS 140-2 Compliance

The first things you should do to get in compliance with encryption requirements is to know where your CUI is stored, transmitted, and processed.

  1. Map Your Data Flow: Diagram showing how CUI is received, stored, and transmitted, identifying all touchpoints.
  2. Document Protection Methods: Record whether each instance uses encryption or physical security.
  3. Implement or Identify FIPS-Validated Modules where you need them to protect the confidentiality of CUI: Use FIPS-validated cryptographic modules or confirm existing solutions are compliant.
  4. Obtain Certificates: Collect certificates from the CMVP for all FIPS-validated solutions used.
  5. Enable and Verify FIPS Mode: Ensure FIPS mode is enabled in your solutions as required by the certificates and document how this was done.

Finding FIPS-Validated Solutions

To check if a solution is FIPS 140-2 validated, consult NIST’s Cryptographic Module Validation Program (CMVP) search page. This is the most reliable source, as vendor websites may sometimes misrepresent their status. If a solution claims to be FedRAMP ready, make sure there is a certificate for it before you purchase. When searching the CMVP site, it’s usually easier to find what you are looking for by searching by vendor (such as CISCO, Microsoft, etc).

Evidence for CMMC Level 2 Assessment

For CMMC Level 2 assessments, you’ll need:

  • Certificates from NIST’s CMVP search page.
  • Documentation of FIPS mode enablement and verification. Where did you go to enable FIPS encryption?

FIPS Compliance vs. Patching

Patching systems is essential to keep an environment secure, but can impact FIPS compliance. If a patch alters a validated module, it might bring the system out of compliance. In such cases, conduct a risk assessment to weigh the benefits of the update against the implications of non-compliance. Document your decisions!

If an update is required for a system or software that had a previously FIPS 140-2 validated module, and the update results in non-compliance with FIPS 140-2, the update should be prioritized to reduce vulnerabilities. If a system or software has never had a FIPS 140-2 validated module, organizations should seek alternative compliant solutions to implement instead. Make sure to document your strategy. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) understands that maintaining security sometimes means temporary non-compliance due to necessary updates.

Achieving FIPS 140-2 compliance might seem confusing, but by understanding the requirements and knowing when validation is necessary, you can simplify the process. Remember, the main objective is to protect the confidentiality of CUI.