The Federal Risk and Authorization Management Program (FedRAMP) provides a risk-based approach to help U.S. government agencies adopt and use cloud-based technology services. FedRAMP standardizes the security requirements for cloud services, so that cloud service providers (CSPs) can have an easier time meeting bidding on government contracts.
One of the primary requirements for FedRAMP certification is data encryption validated by the Federal Information Processing Standard (FIPS) 140-2. If you can’t meet the cryptographic requirements in FIPS 140-2, don’t expect FedRAMP compliance to happen.
What Is FedRAMP?
Understanding FedRAMP is vital for federal government agencies, cloud service providers (CSPs), and independent software vendors (ISVs). FedRAMP provides a cost-effective, risk-based method for government agencies to assess, adopt, and use cloud services under the Federal Information Security Management Act (FISMA).
FedRAMP compliance essentially acts as a seal of approval for CSPs. Once they meet FedRAMP’s security standards (which are dictated by several agencies, including the Department of Homeland Security and the Department of Defense), those CSPs can they offer their services in a “FedRAMP marketplace” where federal agencies already know all participants have already met a minimum set of security requirements necessary to work with sensitive data.
All CSPs and ISVs must be FedRAMP-certified to sell their cloud offerings to U.S. government entities. This includes large public cloud providers such as Amazon Web Services (AWS). Click here to learn more about FedRAMP and AWS.
FedRAMP is based upon security frameworks developed by the National Institute of Standards and Technology (NIST). To establish its own prerequisites, the FedRAMP relies on the security controls and assessment procedures mentioned in NIST’s Special Publication (SP) 800-53.
What Is FIPS?
FedRAMP authorization has many steps; implementing the encryption standards of FIPS 140-2 is among the most complex. Issued by the NIST, the Federal Information Processing Standards (FIPS) describe the encryption algorithms required for federal government agencies and the vendors supporting those government agencies.
FIPS 140-2 is a standard to validate the security of cryptographic modules, and is required for any SaaS provider or ISV seeking FedRAMP certification. It specifies the security requirements that must be satisfied by a cryptographic module. The module must be protected to maintain the confidentiality and integrity of sensitive data.
Originally issued in 1994, FIPS 140 had two goals: 1) mandate the use of validated cryptography in the federal government; and 2) standardize the validation process. The FIPS 140-2 standard was instituted in 2001.
FIPS Cryptographic Module Validation Program (CMVP)
As part of the FIPS 140-2 effort, the CMVP is designed to validate cryptographic modules based on a defined set of criteria. If encryption is employed as one of the mechanisms to meet a security requirement, it must be FIPS 140-2 validated under the CMVP.
Under the CMVP, cryptographic module vendors must have those modules tested by independent laboratories accredited by the National Voluntary Laboratory Accreditation Program (NVLAP).
After NVLAP labs validate that the modules conform to FIPS 140-2 requirements, then the modules will be accepted by U.S. federal agencies for the protection of sensitive information. In addition, the FIPS 140-2 validated product must also be configured to operate in FIPS mode.
Here, FIPS validated and FIPS compliant mean different things. FIPS 140 validated means that the module has been certified by an accredited lab as satisfying FIPS 140-2 requirements.
FIPS 140 compliant refers to products that rely on FIPS 140-validated products for cryptographic functionality, but have not completed the entire FIPS 140 validation process.
FIPS 140-2 Baseline Requirements
The existing baseline requirements under FIPS 140-2 are mandatory to receive FedRAMP authorization from the government’s Joint Authorization Board (JAB) and most federal agency authorizations. FIPS 140-3 is the newest version. Compared to FIPS 140-2, it more closely aligns with these international ISO/IEC standards:
- ISO/IEC 19790:2012(E) on information technology, security techniques, and requirements;
- ISO24759:2017(E) on testing requirements for cryptographic modules.
The significant changes in FIPS 140-3 involve the introduction of non-invasive physical requirements. Other updates will guide ISO/IEC standards for cryptographic algorithms, module testing, and validation originally specified in FIPS 140-2. Both FIPS 140-2 and 140-3 are currently approved and active, but transition to FIPS 140-3 is required by September 2026.
FIPS 140-2 Security Levels
FIPS 140-2 and FIPS 140-3 provide four qualitative security levels covering many potential applications where cryptographic modules may be employed. To reach higher levels, CSPs must have met the security demands of previous levels.
That said, certain levels are only appropriate for specific products or services, so it’s not necessary for every product to reach the highest FIPS level (Level 4).
Level 1
Level 1 provides the most basic security and applies only to the cryptographic module of a software system. It specifies no physical requirements such as an encryption board. For instance, a one-time password (OTP) that incorporates FIPS-validated crypto libraries can be FIPS 140-2 Level 1 validated.
Level 2
This level applies to the physical casing of cryptographic modules. The goal is to protect plaintext encryption keys from duplication or manipulation.
To achieve FIPS Level 2 validation, a system must comply with the Level 1 standards and meet certain role-based authentication requirements to account for tamper-evidence. This means that visible signs of manipulation must appear in the event of physical access.
Level 3
This level requires the self-destruction of encryption keys if a cryptographic module is tampered with by an unauthorized party. It ensures that the code is within a tamper-proof container so that the keys get destroyed if the device is physically compromised.
Level 4
This highest level stipulates that the encryption keys be completely protected from extreme environmental or physical conditions so that even such extreme conditions do not reveal the encryption keys.
When a product is FIPS 140-2-validated, it has been reviewed, tested, and approved by an NVLAP-accredited testing lab. For a product to be 100 percent validated, it must go through the CMVP process and get an official validation stamp.
The Need for Encryption Under FedRAMP and FIPS
Encryption compliance is becoming increasingly important as organizations adopt zero-trust security architectures and emphasize data security.
When data remains unprotected, it is vulnerable to compromise, theft, and breaches, which can harm an organization’s reputation, revenues, and market share. These events may also result in fines or penalties due to data privacy and security regulations violations.
To avoid these bad outcomes, all storage devices, data exchanged between endpoints, and archival backups must support encryption using FIPS 140-2 validated modules.
FedRAMP rules require that all commercial CSPs use FIPS 140-2 Level 2-validated products to secure data within computer systems. This includes both data at rest and data in transit.
FedRAMP and FIPS Controls to Encrypt Data At Rest and Data in Transit
Data at Rest
Data at rest is data that is stored on devices and not currently moving between two or more devices. Conventional perimeter-based defenses such as firewalls and antivirus programs do a fair job of protecting such data.
These defenses, however, can be breached, resulting in a network compromise and a bad actor getting access to the data. To prevent such situations, device encryption is crucial. Some examples of data at rest that must be encrypted include:
- Information in data partitions and storage devices
- Information system backups
- Log files
In addition, the cryptographic module within information systems must implement role-based or identity-based authentication to control access and keep unauthorized users out.
Applicable Controls to Encrypt Data at Rest
Some of the FIPS 140-2 controls applicable to encrypting data at rest are:
- SC-13
- SC-28
- SC-28(1)
- CM-5(3)
- MP-5
- MP-5(4)
Data in Transit
Data in transit is especially vulnerable to breaches, so it must be secured with encryption. This includes data that travels via:
- Remote access sessions
- From client device to application and vice versa
- From web application to database
One common method to encrypt data in transit is the Transport Layer Security (TLS). TLS provides secure communication across networks and can be used to assure compliance with FIPS 140-2 requirements.
Applicable Controls to Encrypting Data in Transit
Some of the FIPS 140-2 controls applicable to encrypting data in transit are:
- SC-8
- SC-8(1)
- SC-12
- SC-12(1)
- SC-12(2)
- SC-12(3)
- SC-13
In addition to data at rest and data in transit, FIPS 140-2 should also be enabled for operating systems. Doing this assures that the operating system will use FIPS-validated encryption algorithms.
When the cryptographic module uses only FIPS-approved schemes, the system is configured to run in a FIPS-approved operation mode. This is essential for FIPS 140-2 compliance.
Simplify FedRAMP and FIPS 140-2 Compliance with ZenComply
The ZenComply platform is designed to simplify your FedRAMP and FIPS 140-2 compliance effort. Leverage this all-in-one platform for all your compliance, audits, risk management, and governance needs.
ZenComply offers detailed views of control environments to ease audit and compliance management. It also provides continuous monitoring and easy access to information to help you evaluate your compliance program and address critical tasks quickly.
Stay ahead of constant regulatory changes with this integrated and automated system of record. Plus, you can eliminate tedious manual processes to save time and effort while meeting all your compliance responsibilities.
Schedule a demo to see how ZenComply can help your organization achieve and maintain FedRAMP certification.