Throughout the CMMC Practices are references for using FIPS validated encryption to protect the storage and transmission of Controlled Unclassified Information (CUI). If you search the CMMC Maturity Level 3 Assessment Guide (Version 1.10), “FIPS-validated” comes up 24 times! SC.3.177 specifically states that companies must “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI,” and practices for protecting wireless (AC.3.012), VPNs (AC.3.014), and storage (SC.3.191) also reference FIPS-validated encryption when protecting CUI.
But what exactly is FIPS validated encryption, and how do you meet these requirements?
FIPS stands for Federal Information Processing Standards. Developed by the National Institute of Standards and Technology (NIST) in support of the Federal Information Security Management Act (FISMA), FIPS is a set of evolving rules and guidelines for securing federal computer systems. Most of the standards relate to various types of encryption and there are currently nine active standards.
CMMC specifically references FIPS 140-2 (soon to be replaced with 140-3), which defines the security requirements for cryptographic modules, or the means by which encryption is deployed. All encryption methods are not created equal, and the government realized they needed to define and designate “safe” encryption methods for federal use.
There are two components to FIPS Validation: the algorithms, and the implementation of those algorithms in encryption modules.
Algorithms are the mathematical formulas utilized to encrypt data. You have probably heard of some of these: 3DES, AES256, or SHA-3. Each of these algorithms is used to turn plain-text data into something unreadable, protecting the original data from prying eyes. All encryption algorithms are tested by NIST to verify they work as expected, are not susceptible to various attacks on the encryption, and can be implemented securely across various technologies. Any algorithm which passes these three gates is determined to be a FIPS Validated encryption algorithm.
Now the implementation of that algorithm must be verified. Just because a product is using a FIPS approved algorithm, does not mean that it is doing so in a secure manner. The hardware, software, and communications must be examined to ensure the vendor has not accidentally (or intentionally!) introduced a vulnerability into its implementation of the encryption algorithm which could lead to a weakness in the encryption. Products and software go through rigorous testing by NIST before being designated FIPS-validated.
You can check a product’s FIPS-Validation status on the NIST Cryptographic Module Validation Program website. Products will have a designation of Active, Historical, or Revoked. On the right-side menu, find Additional Pages, and Click “Search”. The Basic search function only shows Active products; so, use the advanced search function to look at all statuses and set other filters for your search. You can also search for products currently undergoing testing. Approved products are listed as Active, then moved to Historical after 5 years. Just because a product is listed as Historical does not mean you can’t use it. If it is already in your environment you can keep using it, but you should not use those products for any new initiatives. A status of Revoked is self-explanatory!
Many products that have passed FIPS Validation must still be configured to run FIPS Mode. Rather than develop separate product lines, most hardware vendors have a FIPS Mode setting which must be enabled. In most cases, this is just a check box. Hardware, such as a firewall, will also have a tamper-evident seal on the device which would be damaged if the product were opened. This seal must be intact.
What happens when you decide to enable FIPS Mode? For starters, wireless networks and VPNs configured using pre-shared keys (a common configuration in small businesses) will no longer function. The use of these keys, or “shared secrets”, are found to be too easily cracked to pass FIPS validation and must be replaced with strong authentication mechanisms, such as X.509 certificates. Data in storage may be decrypted and re-encrypted using only FIPS validated algorithms. This can be time consuming and will slow down some systems until the data is re-encrypted.
As you can surmise, the “FIPS Mode” check box should not be clicked without planning for some downtime and reconfiguration.
As a final thought, part of your System Security Plan for CMMC Maturity Level 3 for SC.3.177 should include designating a person responsible for an inventory of cryptographic modules in use and checking their validation status on a defined basis, such as once a year. It should also state where the inventory is kept. It may be easier to simply list the approved modules in your plan, along with the certificate numbers assigned by NIST. Keeping everything in one place is always easiest to manage.
All Content © 2024 Monarch ISC