FIPS-140 is an important part of any successful security management system or—in the case of managed services providers (MSPs)—any IT security offering. Because of its critical role in security, it is essential that MSPs have a comprehensive understanding of the FIPS-140 standard, the different levels associated with it, and why it is important.
This guide will help you understand FIPS-140, specifically FIPS-140-2, with the aim of informing you how your MSP company should be protecting its data and customers.
What Is FIPS-140?
FIPS stands for Federal Information Processing Standard, and the FIPS-140 series is a collection of computer security standards set by the National Institute of Standards & Technology (NIST) for the United States government.
FIPS-140-2 refers to the benchmark for validating the effectiveness of cryptographic hardware. FIPS 140-2 certifications signify that a product has been formally tested and validated by the U.S. and Canadian Governments. However, beyond certification, FIPS-140-2 compliance has become a practical security benchmark that is recognized around the world, in both governmental and non-governmental sectors. As such, FIPS-140-2 has become globally recognized as a realistic best practice for testing and validating cryptographic hardware.
Organizations use the FIPS-140-2 standard to ensure that the hardware they are using meets specific security requirements. The FIPS series defines four increasing, qualitative levels of security, which are as follows:
- Level 1: This level requires production-grade equipment and algorithms that are tested externally.
- Level 2: This level introduces requirements for physical tamper-evidence and role-based authentication methods. It also requires that software implementations are run on an operating system approved to common criteria at EAL2.
- Level 3: This level adds another layer of requirements for physical tamper-resistance and identity-based authentication methods. At level 3, there must also be physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys should only be able to enter or leave in an encrypted form.
- Level 4: This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack.
As the levels detailed above demonstrate, FIPS requires a more advanced encryption standard as the levels increase. FIPS-140-2 encryption requirements technically allow for software-only implementations at both level 3 and level 4, but applies such stringent requirements that none have been validated. For many companies, requiring FIPS certification at FIPS-140-3 is a sufficient compromise between operational convenience, effective security, and choice in the marketplace. Although at the time of writing, for many products (like SolarWinds Take Control) FIPS-140-3 is still undergoing scrutiny.
The History of FIPS-140
FIPS-140-1 was issued in 1994 and was developed by a government and industry working group. This group was composed of vendors and users of cryptographic hardware, who worked together to identify the four FIPS security levels as well as further requirements for each level.
FIPS-140-2 was issued in 2001 and takes into account the changes in available technology and official standards made since 1994. FIPS-140-2 was informed by the comments received from the vendor, tester, and user communities.
FIPS-140-3 was issued in 2019 to supersede FIPS-140-2. FIPS-140-3 aligns the NIST guidance around two international standards documents:
- ISO/IEC 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules
- ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules
When Is FIPS-140 Used?
The Federal Information Security Management Act, also known as FISMA, requires all U.S. government agencies to use cryptography modules with FIPS-140-2 certification. U.S government contractors and third parties working for federal agencies are also required to be FIPS-140-2 certified. As mentioned, because FIPS-140-2 sets a high security benchmark and is globally recognized as a security best practice, many other industries have adopted the standard for the purpose of securing their own sensitive data—although they tend to look for compliance rather than certification. Most prominently, this includes the healthcare and financial services industries.
Why Is FIPS-140 Important?
FIPS-140-2 is widely considered to be the benchmark for security. It is perhaps the most important standard of the government market and is essential for non-military government agencies, government contractors, and vendors who work alongside government agencies.
The FIPS-140-2 certification provides assurance to users that a specific technology or hardware has passed rigorous testing by an accredited lab. It also ensures that the tests have been validated and that the product can be used to secure sensitive data. FIPS-140-2 and other similar security protocols are extremely important for MSPs, as they are likely to be handling large amounts of sensitive data on behalf of their customers. If customer data is compromised, this can have a disastrous impact on your MSP’s reputation, revenue, and business continuity.
Remote access with a FIPS-140 Compliance for Take Control Microsoft Connections
For MSPs looking for a trusted remote access solution that protects customer data, SolarWinds Take Control uses FIPS (140-2)-compliant cryptographic library modules to help secure Windows® device to Windows device remote connections.
Take Control helps you avoid vulnerabilities inherent in traditional RDP-based solutions by routing traffic through an intermediary that is much harder for hackers to penetrate. It uses advanced encryption standards, including FIPS-140-2 certified OpenSSL modules, to keep your sessions safe from malicious individuals. It also features AES 256 encryption and an Elliptic-Curve Diffie-Hellman (ECDH) protocol for establishing a secure connection each time a session between viewer and agent is created. Using tools with advanced encryption and FIPS 140-2 Compliant Components demonstrates to your customers that you are serious about security.
In addition, this remote access tool enables tighter control of user permissions and has an integrated password management utility that injects credentials into the system without the technician ever seeing them, further reducing risk. Take Control also leverages authentication apps for two-factor authentication (2FA), including Google Authenticator, Duo Mobile, Authy, and Microsoft Authenticator.
All in all, Take Control is an enterprise-grade, scalable, and user-friendly option for MSPs. Its remote access features include attended and unattended support, rapid connections, support for iOS and Android mobile devices, live chat and fast file transfers, and much more. To learn more and see for yourself, a 14-day free trial is available.