FIPS (Federal Information Processing Standard) is a set of requirements asserted by NIST in order to centralize and make uniform the ways in which the US government manage the risks associated with securing and transporting sensitive information. FIPS came into existence as part of the larger FISMA legislation in 2002, and quickly became a commonly imitated framework for information security in all business sectors, and has had a global impact in terms of its desirability for hardware/software products.
- What does FIPS require?
- Should I aim for FIPS compliance?
- What does FIPS address?
- What about FedRAMP?
What does FIPS require?
FIPS compliance requires that a computer system must meet the baseline qualities asserted in all numbered publications. FIPS 140 for example covers the required testing of hardware and software. FIPS 198 on the other hand describes requirements for message authentication. It is not enough for a product to claim to be FIPS compliant, it must be tested by NIST which incurs a considerable cost. In order to avoid these costs, many products will rely on software components already validated by NIST. Typically, something which has been directly put through the ringer is referred to as FIPS validated, and something built of components that were already FIPS validated is referred to as FIPS compliant. Any change of any magnitude triggers the need for revalidation, so often products that meet the threshold change infrequently which can be either desirable or undesirable depending on your perspective.
Should I aim for FIPS compliance?
It’s extremely important to note that unless there is a specific requirement to use or be beholden to FIPS compliance (or any compliance framework), it is almost always a losing proposition to blindly mimic a standard. FIPS is an extremely useful and effective framework for managing risk at government scale. Built-in to the framework is embedded the specific set of risks of the US Government is and isn’t comfortable accepting when weighed against the cost of mitigating those risks. In another sector, or at another scale, these decisions do not directly translate.
FIPS compliant products pass along the costs of lab validation onto their consumers. Do not fall into the trap that just because something meets a specific compliance framework that it is “more secure”! Additionally, by its nature FIPS is slow to change. Advances in cryptography and computer hardware mean that many times at smaller scales it is defensible to move faster and enjoy the benefits of modernity without weakening your security posture.
A great example of this is Window’s “FIPS mode”, a group policy option which influences the behavior of SCHANNEL disallowing certain security features. Unless required to turn on this FIPS mode, the most likely result is that your computer will be slower and applications will break without tangible benefit!
What does FIPS address?
FIPS has specific language covering requirements for the following key system areas known as “Control Families”:
AC - ACCESS CONTROL
How is access granted and enforced?
AT - AWARENESS AND TRAINING
How are people supposed to interact with the system? What should indicate to them that something is wrong?
AU - AUDIT AND ACCOUNTABILITY
What system artifacts prove that compliance is adhered to?
CA - ASSESSMENT, AUTHORIZATION, AND MONITORING
How are we ensuring compliance in an ongoing way?
CM - CONFIGURATION MANAGEMENT
How do we insulate against the risk of change?
CP - CONTINGENCY PLANNING
How do we handle unexpected events?
IA - IDENTIFICATION AND AUTHENTICATION
How does the system know users are who they claim they are?
IR - INCIDENT RESPONSE
How do we handle problems when they occur?
MA – MAINTENANCE
How do we ensure that the care and feeding of systems does not inadvertently violate our practices and guidelines?
MP - MEDIA PROTECTION
How do we handle the lifecycle of removable media (tapes, CDs, etc)
PE - PHYSICAL AND ENVIRONMENTAL PROTECTION
How do we ensure protection of the physical equipment?
PL – PLANNING
What must be done on an ongoing basis to ensure due diligence? What must be reviewed, re-rereviewed, and when?
PM - PROGRAM MANAGEMENT
This encompasses artifacts such as system inventory, risk management strategy, and a critical infrastructure lifecycle plan.
PS - PERSONNEL SECURITY
How do our practices prevent human error? How do our practices prevent malicious employees?
PT - PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
How do our systems responsibly handle information that uniquely identifies a user?
RA - RISK ASSESSMENT
What are the main ways in which we are at risk? How can we reduce risk to an acceptable level in an ongoing way?
SA - SYSTEM AND SERVICES ACQUISITION
What are the acceptable ways to bring in new hardware and software? How do we define trustworthiness?
SC - SYSTEM AND COMMUNICATIONS PROTECTION
What must be alerted on and when? How do our systems validate input?
SI - SYSTEM AND INFORMATION INTEGRITY
How do we ensure data integrity? How can we ensure data does not degrade in a catastrophic way? (bit flips, etc.). How long should/must we retain data and backups?
SR - SUPPLY CHAIN RISK MANAGEMENT
What checks, balances, and procedures protect us from a bad actor in our supply chain?
What about FedRAMP?
Unlike FISMA, which is a compliance framework, FedRAMP is a specific certification for cloud service providers. FedRAMP certification cannot be bestowed unless an organization is FIPS compliant. FedRAMP certificate is required before a US government entity can do business with a cloud service provider. Once FedRAMP certification is achieved, an organization is eligible to bid for US Government contracts, which can be a reliable and lucrative revenue stream. FedRAMP certification is an onerous process, requiring the development of a “System Security Plan” (SSP) describing the way in which the cloud service implements the required controls.
Ultimately, FIPS provides a valuable framework for ensuring appropriate conversations are had and rehashed at appropriate intervals in order to achieve standards-based compliance at scale. Companies doing business with the US government should work to familiarize themselves on their ongoing obligations and requirements. Companies seeking to do business with the US government for the first time should consider the overhead as well as the cost involved and seek someone with proven experience taking a company through the necessary changes and documentation.