Throughout the CMMC Practices are references for using FIPS validated encryption to protect the storage and transmission of Controlled Unclassified Information (CUI). If you search the CMMC Assessment Guide “FIPS-validated” comes up 22 times! SC.3L2-3.13.11 specifically states that companies must “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI,” and practices for transmission (SC.L2-3.13.8), mobile devices (AC.L2-3.1.19) and storage (SC.L2-3.1316) also reference FIPS-validated encryption when protecting CUI.
But what exactly is FIPS validated encryption, and how do you meet these requirements?
FIPS stands for Federal Information Processing Standards. Developed by the National Institute of Standards and Technology (NIST) in support of the Federal Information Security Management Act (FISMA), FIPS is a set of evolving rules and guidelines for securing federal computer systems. Most of the standards relate to various types of encryption and there are currently nine active standards.
CMMC specifically references FIPS 140-2 (soon to be replaced with 140-3), which defines the security requirements for cryptographic modules, or the means by which encryption is deployed. All encryption methods are not created equal, and the government realized they needed to define and designate “safe” encryption methods for federal use.
There are two components to FIPS Validation: the algorithms, and the implementation of those algorithms in encryption modules.
Algorithms are the mathematical formulas utilized to encrypt data. You have probably heard of some of these: 3DES, AES256, or SHA-3. Each of these algorithms is used to turn plain-text data into something unreadable, protecting the original data from prying eyes. All encryption algorithms are tested by NIST to verify they work as expected, are not susceptible to various attacks on the encryption, and can be implemented securely across various technologies. Any algorithm which passes these three gates is determined to be a FIPS Validated encryption algorithm.
Now the implementation of that algorithm must be verified. Just because a product is using a FIPS approved algorithm, does not mean that it is doing so in a secure manner. The hardware, software, and communications must be examined to ensure the vendor has not accidentally (or intentionally!) introduced a vulnerability into its implementation of the encryption algorithm which could lead to a weakness in the encryption. Products and software go through rigorous testing by NIST before being designated FIPS-validated.
You can check a product’s FIPS-Validation status on the NIST Cryptographic Module Validation Program website. Products will have a designation of Active, Historical, or Revoked. On the right-side menu, find Additional Pages, and Click “Search”. The Basic search function only shows Active products; so, use the advanced search function to look at all statuses and set other filters for your search. You can also search for products currently undergoing testing. Approved products are listed as Active, then moved to Historical after 5 years. Just because a product is listed as Historical does not mean you can’t use it. If it is already in your environment you can keep using it, but you should not use those products for any new initiatives. A status of Revoked is self-explanatory!
Many products that have passed FIPS Validation must still be configured to run FIPS Mode. Rather than develop separate product lines, most hardware vendors have a FIPS Mode setting which must be enabled. In most cases, this is just a check box. Hardware, such as a firewall, will also have a tamper-evident seal on the device which would be damaged if the product were opened. This seal must be intact.
What happens when you decide to enable FIPS Mode? For starters, wireless networks and VPNs configured using pre-shared keys (a common configuration in small businesses) will no longer function. The use of these keys, or “shared secrets”, are found to be too easily cracked to pass FIPS validation and must be replaced with strong authentication mechanisms, such as X.509 certificates. Data in storage may be decrypted and re-encrypted using only FIPS validated algorithms. This can be time consuming and will slow down some systems until the data is re-encrypted.
As you can surmise, the “FIPS Mode” check box should not be clicked without planning for some downtime and reconfiguration.
The first mistake companies make is to try to deploy FIPS Mode EVERYWHERE. They enable it on servers, workstations, wireless devices, switches, and the VPN. Before you head down this path, remember this very important phrase from the practice: “…when used to protect the confidentiality of CUI.”
What else could protect the confidentiality of CUI? If your data is stored on a server in the data center and that data center if physically secured, then the physical controls are protecting the data at rest! The same might be said for your internal network switches as the network wiring is also protected by your physical security controls.
What about wireless or the VPN? If your data is stored in a cloud service or on-premises solution that supports FIPS Approved encryption, and your endpoints are configured in FIPS Mode, then all transmission will already be encrypted appropriately. Be aware that some applications, such as some popular CAD programs, will not support this host type of host-based encryption. Other organizations opt to require all in scope devices to use a wired connection instead of the wireless, and don’t allow use of the VPN to connect to CUI.
As a final thought, part of your System Security Plan should include designating a person responsible for an inventory of cryptographic modules in use and checking their validation status on a defined basis, at least once a year.
The implementation of FIPS Approved encryption modules is something to consider carefully and requires planning and testing. There are applications and support tools that will not support FIPS mode, and others that will need modification.
And more often than not, there are alternate methods to “protect the confidentiality of CUI.”
Still have questions? Please contact us now!