Ensuring FIPS 140-2 Compliance – Caveat Emptor

How to know if your vendor is complying with NIST standards for FIPS 140-2

Defense contractors looking to comply with NIST 800-171 know they need to protect all Controlled Unclassified Information (CUI) both at rest and in transit with FIPS 140-2 validated encryption. And this requirement can extends to not just CUI in contracts but also to all the technology and services they use. Given that CUI represents sensitive defense information, contractors should realize the importance of properly using FIPS 140-2 encryption algorithms, which are the benchmark for effective cryptographic hardware and software Importantly, contractors need to know how to determine if their vendors have properly implemented FIPS 140-2 algorithms.

How to tell if it’s real FIPS 140-2

The easiest way to determine if your vendor is FIPS 140-2 certified is to check the NIST website. If a company’s name appears in NIST’s Cryptographic Module Validation Program (CMVP), they have been vetted by NIST and you should feel comfortable using the vendor’s technology.
Achieving the NIST standard is no easy feat. Vendors can take up to 18 months to complete the necessary three-step program where each step must be done in order and cannot be started until the previous one is completed. To pass, vendors must:

AWS Builder Community Hub
  • #1 Document all cryptographic methods and algorithms implemented against the NIST standard. Any gaps in the vendor’s implementation must be filled either by creating necessary code or documentation.
  • #2 Participate in the NIST Cryptographic Algorithm Validation Program (CAVP) where a NIST lab tests and evaluates the algorithms implemented in the vendor’s code. Each algorithm that passes will receive a CAVP certificate from NIST.
  • #3 Have NIST test and evaluate the cryptographic module from end to end including the documentation and the CAVP-certified algorithms that are used in the module itself. When the testing is complete and approved, NIST issues a CMVP certificate for the validated cryptographic module.
    Only after this third step can a vendor truthfully claim that they are using FIPS 140-2 validated cryptographic methods and algorithms.

    What about “FIPS Inside”

    Some vendors will state they comply with FIPS 140-2 standard without undergoing certification. They will promote what is commonly called a ‘FIPS Inside’ justification which means they implement FIPS-approved crypto libraries or use FIPS-approved algorithms in their solutions but their implementation has never been vetted by NIST itself.
    While it’s possible to meet the NIST standard for FIPS without having NIST evaluate the entire process, it’s very tricky to determine the implementation’s validity. A contractor would have to examine numerous details of a vendor’s code and ensure all algorithms and modules are meeting the FIPS 140-2 requirements.
    In addition, the contractor would need to validate methods that are frequently invisible to contractors such as self-tests, service access controls, error handling, entropy tests, and many other features beyond the encryption algorithms themselves. And this testing is not easy to do.
    Best advice is to be wary of vendors whose claim to meeting the FIPS 140-2 standard is based on self-attestation as its very tricky to determine the statement’s accuracy.

    FIPS certification enables confidence in your cybersecurity

    If a vendor has been verified for use of FIPS 140-2 algorithms and the module that uses them, they have met a very high bar for their cryptography. At PreVeil, for example, it took us over a year to accomplish the three steps required to become properly evaluated and validated by NIST and ensure we meet FIPS 140-2 requirements. For PreVeil, the validation extends not just to the PreVeil encryption algorithms, but also includes all the details of the end-to-end cryptographic implementation.
    Contractors should be confident that vendors meeting the FIPS 140-2 standard are providing the highest level of cryptographic methods and algorithms.


    The benefit to customers of relying on vendors who use FIPS 140-2 validated cryptography is evident. But additional benefits are also ensured because by relying on the NIST standard, contractors can be assured that vendors are constantly reviewing and updating their cryptographic system in accordance with NIST requirements. The FIPS 140-2 standard ensures contractors CUI is protected not just today, but in the many years to come.

    The post Ensuring FIPS 140-2 Compliance – <span style="color:#f05f2a;"><em>Caveat Emptor</em></span> appeared first on PreVeil.

    *** This is a Security Bloggers Network syndicated blog from Blog – PreVeil authored by Orlee Berlove. Read the original post at: