3.13.11 FIPS 140-2 Validated Cryptography

NIST Cryptographic Module Validation Program CMVP 3.13.9

It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments.


๐Ÿ’ฅ ๐Ÿ’ฅ ๐…๐ˆ๐๐’ 140-2 ๐•๐š๐ฅ๐ข๐๐š๐ญ๐ž๐ ๐Œ๐จ๐๐ฎ๐ฅ๐ž๐ฌ ๐Ÿ’ฅ ๐Ÿ’ฅ


Listen up – I’m going to tell you how to succeed at this requirement. It might take money, it might take time, but it CAN be done. It will definitely take more than one post though <grin>.

๐–๐ก๐š๐ญ ๐ข๐ฌ ๐…๐ˆ๐๐’?

It is a Federal Information Processing Standard ( number 140-2 ) which sets requirements for how awesome a cryptographic module needs to be to pass “validation”.

๐–๐ก๐š๐ญ ๐ข๐ฌ ๐š ๐œ๐ซ๐ฒ๐ฉ๐ญ๐จ๐ ๐ซ๐š๐ฉ๐ก๐ข๐œ ๐ฆ๐จ๐๐ฎ๐ฅ๐ž?

NIST’s definition: The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and keygeneration methods) and is contained within a cryptographic module boundary.

Amira’s (hopefully easier) definition: A self-contained software program that has inputs, outputs, a cryptographic algorithm that encrypts data, and the logic required for the algorithm to operate in a predictable way. It can be part of firmware, part of an operating system, or a portion of a larger application.

๐–๐ก๐š๐ญ ๐๐จ ๐ฒ๐จ๐ฎ ๐ฆ๐ž๐š๐ง “๐š๐ฐ๐ž๐ฌ๐จ๐ฆ๐ž”…? 

NIST has very smart cryptologists try to figure out ways to break the encryption from submitted modules. Based on how long it takes for new modules to get validated, my theory is that they spend a couple ๐˜บ๐˜ฆ๐˜ข๐˜ณ๐˜ด attempting to find a flaw. If they can’t find a flaw, the module gets a certificate hosted on the NIST website saying it is awesome… err, validated.

๐’๐จ ๐ฐ๐ก๐š๐ญ ๐ข๐ฌ ๐ญ๐ก๐ž ๐ ๐จ๐š๐ฅ ๐จ๐Ÿ ๐…๐ˆ๐๐’?

The US Government has to transmit secret data across lines that adversaries have access to. Consider messages from our embassies in rival countries. If the other governments are on the ball at all, they will be trying to listen in.

FIPS validation gives the US Government confidence that their secret communications won’t be vulnerable to eavesdropping because the encryption has been tested.

People have invented lots of cryptographic algorithms and modules that turned out to be flawed. It makes sense that the US Government would decide to only use tested modules – it only takes getting burnt a few times to start having an opinion.

And if it is good enough for secret data, it should be good enough for CUI, right?

Question for everyone – have you heard of other cryptography being acceptable to DIBCAC? So far I’ve only heard of people passing this requirement using FIPS 140-2 validated modules. Using a cryptographic algorithm like AES 256 by itself is no good. I haven’t heard of anyone passing using NSA-approved cryptography.

FIPS continued – ๐’‚๐’—๐’๐’Š๐’…๐’Š๐’๐’ˆ the need for FIPS 140-2 validated modules.

Source requirement: 3.13.11 ๐„๐ฆ๐ฉ๐ฅ๐จ๐ฒ ๐…๐ˆ๐๐’-๐’—๐’‚๐’๐’Š๐’…๐’‚๐’•๐’†๐’… ๐’„๐’“๐’š๐’‘๐’•๐’๐’ˆ๐’“๐’‚๐’‘๐’‰๐’š ๐’˜๐’‰๐’†๐’ ๐ฎ๐ฌ๐ž๐ ๐ญ๐จ ๐ฉ๐ซ๐จ๐ญ๐ž๐œ๐ญ ๐ญ๐ก๐ž ๐œ๐จ๐ง๐Ÿ๐ข๐๐ž๐ง๐ญ๐ข๐š๐ฅ๐ข๐ญ๐ฒ ๐จ๐Ÿ ๐‚๐”๐ˆ.

There are a handful of requirements in 800-171 that relate to FIPS. It is important to realize that just because FIPS validated cryptography could be used to solve them, it isn’t the only solution.

3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
^^ Not specific to CUI. Some sort of encryption needed, but FIPS for your remote access sessions (aka VPNs) is only needed if your CUI would otherwise be transmitted in the clear.

3.1.17 Protect wireless access using authentication and encryption.
^^ Not specific to CUI. Encryption needed, but FIPS is only required if your CUI would otherwise be transmitted in the clear.

3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
^^ This allows physical safeguards instead of FIPS – using a courier instead, for example.

3.8.9 Protect the confidentiality of backup CUI at storage locations.
^^ This allows ๐’‚๐’๐’š solution that protects confidentiality of backups, not just encryption.

3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
^^ This allows physical safeguards instead.

3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
^^ This is the only requirement which explicitly makes a connection between CUI and using encryption.

๐Œ๐ฒ๐ญ๐ก๐›๐ฎ๐ฌ๐ญ๐ข๐ง๐ :

๐Œ๐ฒ๐ญ๐ก: You have to use FIPS 140-2 validated modules for all of the above requirements.
๐…๐š๐œ๐ญ: FIPS is only required if encryption is used to protect CUI.*
*If you don’t transmit or store CUI in that situation, then you don’t need to use FIPS.
*In most cases, you can physically protect CUI instead of encrypting it.
*If your CUI is already thoroughly protected using one layer of FIPS encryption (such a FIPS-protected HTTPS session), you don’t need to double-FIPS-encrypt it (you don’t need to put that HTTPS traffic through a FIPS-enabled VPN too).

๐Œ๐ฒ๐ญ๐ก: If you don’t use FIPS 140-2 validated modules for each of these requirements, you fail each requirement.
๐…๐š๐œ๐ญ: If you don’t use FIPS 140-2 validated modules to protect CUI, you fail only 3.13.11 (the one that says to use FIPS).** Non-FIPS encryption is fine to pass the other requirements.
**Based on DIBCAC precedent.

Please enjoy โšก๏ธJil Wright‘s and my somewhat silly video that illustrates these architectural concepts with drawings.

Part three of FIPS 140-2 compliance. ๐”๐ง๐๐ž๐ซ๐ฌ๐ญ๐š๐ง๐๐ข๐ง๐  ๐ฒ๐จ๐ฎ๐ซ ๐๐š๐ญ๐š ๐Ÿ๐ฅ๐จ๐ฐ๐ฌ. 
We are almost done with the analysis of the top 10 “Other than Satisfied” #nist800171 requirements according to the DoD’s assessment group DIBCAC.

Now that you understand why FIPS is important to the government, and when FIPS is ๐˜ฏ๐˜ฐ๐˜ต required, it is time to talk about how to implement it (and demonstrate proof for assessors that you did so).

High level steps:
1. Identify where your CUI is and what systems it passes through.
2. Document these data flows (storage and transit) and identify the protection method used (encryption, physical).
3) For each encryption method, implement a FIPS-validated module or research to find which one is already used.
4) Link or download the certificates for each.

1. ๐ˆ๐๐ž๐ง๐ญ๐ข๐Ÿ๐ฒ ๐ฐ๐ก๐ž๐ซ๐ž ๐ฒ๐จ๐ฎ๐ซ ๐‚๐”๐ˆ ๐ข๐ฌ ๐š๐ง๐ ๐ฐ๐ก๐š๐ญ ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐ข๐ญ ๐ฉ๐š๐ฌ๐ฌ๐ž๐ฌ ๐ญ๐ก๐ซ๐จ๐ฎ๐ ๐ก – ๐Ž๐‘ – ๐ฉ๐ฅ๐š๐ง ๐ก๐จ๐ฐ ๐ฒ๐จ๐ฎ ๐ฐ๐š๐ง๐ญ ๐ข๐ญ ๐ญ๐จ ๐›๐ž.

Document a table for CUI in storage and a table for CUI in transmission, and fill in the details for your environment.

You need A) a method to receive CUI from external people; B) a place you can view and edit CUI internally; C) a method to send CUI to external people.

If your CUI is out of control or you don’t know what is CUI (sadly, most contractors are in this position), an approach is to pick one standard way that everyone in your org will be told to store and transmit CUI. Make sure that method is functional and easy to perform, then train everyone on it. Over time, make it the ๐จ๐ง๐ฅ๐ฒ way that CUI is stored or transmitted.

2. ๐ƒ๐จ๐œ๐ฎ๐ฆ๐ž๐ง๐ญ ๐ญ๐ก๐ž๐ฌ๐ž ๐๐š๐ญ๐š ๐Ÿ๐ฅ๐จ๐ฐ๐ฌ (๐ฌ๐ญ๐จ๐ซ๐š๐ ๐ž ๐š๐ง๐ ๐ญ๐ซ๐š๐ง๐ฌ๐ข๐ญ) ๐š๐ง๐ ๐ข๐๐ž๐ง๐ญ๐ข๐Ÿ๐ฒ ๐ญ๐ก๐ž ๐ฉ๐ซ๐จ๐ญ๐ž๐œ๐ญ๐ข๐จ๐ง ๐ฆ๐ž๐ญ๐ก๐จ๐ ๐ฎ๐ฌ๐ž๐ (๐ž๐ง๐œ๐ซ๐ฒ๐ฉ๐ญ๐ข๐จ๐ง, ๐ฉ๐ก๐ฒ๐ฌ๐ข๐œ๐š๐ฅ).
Add a column to your storage and transmit tables that identifies how the data is protected (encryption or physical). If physically protected (pro-tip: data that stays inside FedRAMP moderate or high clouds can be assumed to be physically protected), then you’re done. If encryption is used to protect the data, then move on to the next step.

3) ๐…๐จ๐ซ ๐ž๐š๐œ๐ก ๐ž๐ง๐œ๐ซ๐ฒ๐ฉ๐ญ๐ข๐จ๐ง ๐ฆ๐ž๐ญ๐ก๐จ๐, ๐ข๐ฆ๐ฉ๐ฅ๐ž๐ฆ๐ž๐ง๐ญ ๐š ๐…๐ˆ๐๐’-๐ฏ๐š๐ฅ๐ข๐๐š๐ญ๐ž๐ ๐ฆ๐จ๐๐ฎ๐ฅ๐ž ๐จ๐ซ ๐ซ๐ž๐ฌ๐ž๐š๐ซ๐œ๐ก ๐ญ๐จ ๐Ÿ๐ข๐ง๐ ๐ฐ๐ก๐ข๐œ๐ก ๐จ๐ง๐ž ๐ข๐ฌ ๐š๐ฅ๐ซ๐ž๐š๐๐ฒ ๐ฎ๐ฌ๐ž๐.

The video below is from our Kieri Compliance Documentation public demo.

The time-stamp in the link is the section where ๐’˜๐’† ๐’”๐’‰๐’๐’˜ ๐’‰๐’๐’˜ ๐’•๐’‰๐’† ๐‘ฒ๐‘ช๐‘ซ ๐’…๐’๐’†๐’” ๐‘ญ๐‘ฐ๐‘ท๐‘บ ๐’…๐’๐’„๐’–๐’Ž๐’†๐’๐’•๐’‚๐’•๐’Š๐’๐’. You can see examples of how to document your data flows for storage and transit, as well as identifying the cryptographic product and FIPS modules. We were told by our DIBCAC assessors that this was the best FIPS documentation they had ever seen.

Even if you aren’t a customer of Kieri Solutions this demo video is a great source of training about #CMMC documentation best practices.

FIPS 140-2 compliance for #cmmc. ๐Œ๐ข๐ง๐ข๐ฆ๐ฎ๐ฆ ๐ž๐ฑ๐ฉ๐ž๐œ๐ญ๐ž๐ ๐ž๐ฏ๐ข๐๐ž๐ง๐œ๐ž.

We are at step 3 – research to implement FIPS validated modules:

3) ๐…๐จ๐ซ ๐ž๐š๐œ๐ก ๐ž๐ง๐œ๐ซ๐ฒ๐ฉ๐ญ๐ข๐จ๐ง ๐ฆ๐ž๐ญ๐ก๐จ๐, ๐ข๐ฆ๐ฉ๐ฅ๐ž๐ฆ๐ž๐ง๐ญ ๐š ๐…๐ˆ๐๐’-๐ฏ๐š๐ฅ๐ข๐๐š๐ญ๐ž๐ ๐ฆ๐จ๐๐ฎ๐ฅ๐ž ๐จ๐ซ ๐ซ๐ž๐ฌ๐ž๐š๐ซ๐œ๐ก ๐ญ๐จ ๐Ÿ๐ข๐ง๐ ๐ฐ๐ก๐ข๐œ๐ก ๐จ๐ง๐ž ๐ข๐ฌ ๐š๐ฅ๐ซ๐ž๐š๐๐ฒ ๐ฎ๐ฌ๐ž๐.

If you already have a solution in mind (such as your existing corporate firewall), the next step is to visit NIST’s Cryptographic Module Validation Program (CMVP), specifically the Search page: https://lnkd.in/gtC9ixuJ

Search for the solution you are using / intend to use. Pro tip: It is normally most productive to search by Vendor.

Validate that your solution has an active certificate, and review the text of it. Almost all certificates will state “When operated in FIPS mode”. You need to figure out how to turn this setting on for your solution.

If you don’t have a solution identified yet, you can use the CMVP to find one.

๐ƒ๐จ ๐ง๐จ๐ญ ๐ญ๐ซ๐ฎ๐ฌ๐ญ ๐ฏ๐ž๐ง๐๐จ๐ซ ๐ฐ๐ž๐›๐ฌ๐ข๐ญ๐ž๐ฌ!! Vendor websites are notorious for misrepresenting their solution’s validated status. If you can’t find a certificate on the CMVP, the solution probably isn’t validated.

I use vendor information to help me find the relevant certificate in the CMVP (for example, Microsoft has a nice KB that links directly to the certificates). Vendor information is also helpful to understand which module is used or how they are used, in cases where multiple validated modules exist for a product.

4) ๐‹๐ข๐ง๐ค ๐จ๐ซ ๐๐จ๐ฐ๐ง๐ฅ๐จ๐š๐ ๐ญ๐ก๐ž ๐œ๐ž๐ซ๐ญ๐ข๐Ÿ๐ข๐œ๐š๐ญ๐ž๐ฌ ๐Ÿ๐จ๐ซ ๐ž๐š๐œ๐ก.

Exactly what this says – for your 800-171 or CMMC Level 2 assessment, you must provide the ๐œ๐ž๐ซ๐ญ๐ข๐Ÿ๐ข๐œ๐š๐ญ๐ž๐ฌ for each solution to your assessor. Remember last post – you need to show how you are using validated modules for each transit or storage data flow that is protected using encryption.


Don’t forget to document how you turned on FIPS mode (or how to validate it is turned on).

What about cloud use? You need to show that your clouds are also protecting CUI in transit or storage. This is typically done by referencing the cloud’s FedRAMP authorization status (moderate+ includes FIPS).

We’ve finally reached the end of the “Top 10 Other than Satisified” #nist800171 requirements according to the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)!

I hope you enjoyed this series. My next educational effort will be a series of interviews with companies that have successfully passed a CMMC or NIST SP 800-171 assessment. I ask them to describe their solution to specific requirements so that everyone can learn precedent: what is proven to be successful in the past. If you haven’t, follow me or sign up for the newsletter so that you don’t miss the fun.

Leave a Reply

Your email address will not be published. Required fields are marked *