FIPS 140-2, Security Requirements for Cryptographic Modules, specifies security standards that must be met when encryption is used to protect sensitive government data, including Controlled Unclassified Information (CUI). But meeting FIPS 140-2’s exacting requirements for encryption is difficult for contractors, as the process to implement and then prove FIPS 140-2 compliance is lengthy and demanding.

FIPS stands for Federal Information Processing Standards. The National Institute of Standards (NIST) requires implementation of FIPS standards so that cybersecurity levels are consistent across federal agencies and the non-government contractors they work with.

This blog explains the importance of compliance with FIPS 140-2 for defense contractors, given that it’s a key component of DFARS, NIST and CMMC requirements. The blog also outlines what it takes to meet FIPS 140-2 standards, and how to be certain that your Cloud Service Provider (CSP), assuming you use one, is FIPS 140-2 certified.

Why it matters: FIPS 140-2 Validation is Required to Meet NIST 800-171

If your organization handles CUI and employs encryption to protect it, you’ll need to ensure that either your encryption modules, or those deployed by your CSP if you use one, meet FIPS 140-2 standards.

That’s because all defense contractors that handle CUI have a DFARS 252.204-7012 clause in their contract. DFARS 7012 requires compliance with NIST 800-171, which was written to protect CUI and invokes the FIPS 140-2 requirement.

NIST 800-171 has 110 security controls that defense contractors that handle CUI need to implement. Control 3.13.11 states that contractors must:

[E]mploy FIPS-validated cryptography when [cryptography is] used to protect the confidentiality of CUI.

And several controls point toward the use of cryptography, which means that control 3.13.11 would be applicable. For example: control 3.13.8 calls for the use of cryptographic mechanisms to protect CUI during transmission unless otherwise protected by alternative physical safeguards, and control 3.1.13 calls for employment of cryptographic mechanisms to protect the confidentiality of remote access sessions.

Note that if encryption is used FIPS 140-2 validation is required. That requirement applies regardless of whether the device handling CUI is a desktop or a mobile device. It doesn’t matter if you’re looking at peripheral devices or endpoints. It doesn’t matter if the CUI is in the form of files or individual documents, images or text.

Why it matters: NIST 800-171 compliance is required for CMMC Level 2 certification

CMMC (Cybersecurity Maturity Model Certification) is the DoD’s new program to verify defense contractors’ compliance with DoD security requirements for the protection of sensitive information. The vast majority of organizations that handle CUI will need to achieve CMMC Level 2, which requires independent third-party assessments of compliance rather than self-assessments (as has been permitted by NIST 800-171). Level 2’s security controls are in complete alignment with the 110 security controls of NIST 800-171.

To learn more about CMMC, see PreVeil’s brief, Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), which has been downloaded by more than 4,000 defense contractors.

The CMMC program is currently in its final stages of the federal rulemaking process and CMMC requirements are expected to begin to appear in defense contracts in late 2024. In the meantime, the DoD has offered Joint Surveillance Voluntary Assessments (JSVAs) to help defense contractors that want to get a jump on meeting CMMC requirements. JSVA assessments are based on CMMC Level 2 requirements, which mirror NIST 800-171 controls.

Early reports on JSVA assessments highlight the importance of proper FIPS 140-2 implementation, as many organizations are struggling to meet the FIPS standard for the protection of CUI on devices and endpoints. Earlier data shared by DIBCAC confirms the problem: lack of compliance with NIST 800-171 control 3.13.11, FIPS-validated cryptography, tops the list of DIBCAC’s Top 10 “other than satisfied” (aka, not met) NIST 800-171 controls.

To learn how a PreVeil customer achieved a 110/110 NIST 800-171 score in a Joint Surveillance Voluntary Assessment, see this case study.

Clearly, FIPS 140-2 standards are hard to meet. But if you rely on a CSP or other outside vendor to encrypt your CUI, it’s easy to find out if they comply with FIPS 140-2, as explained below.

How to tell if it’s real FIPS 140-2

The easiest way to determine if your CSP is FIPS 140-2 certified is to check the NIST Cryptographic Module Validation Program (CMVP) website. Click here to search for a company’s name in NIST’s Validated Modules database. If the vendor you are considering working with is listed there, that means they have been tested and validated by the NIST CMVP program—and you can implement their encryption technology with confidence.

Achieving the NIST CMVP standard is no easy feat. Vendors can take up to 18 months to complete the necessary three-step program. Each step must be done in order and cannot be begun until the previous one is completed.

To pass, vendors must:

  1. Document all cryptographic methods and algorithms implemented against the FIPS 140-2 standard. Any gaps in the vendor’s implementation must be closed either by creating necessary code or documentation.
  2. Participate in the NIST Cryptographic Algorithm Validation Program (CAVP) where an independent NIST-approved lab tests and evaluates the algorithms implemented in the vendor’s code. Each algorithm that passes will receive a CAVP certificate from NIST.
  3. Have NIST test and evaluate the cryptographic module from end-to-end including the documentation and the CAVP-certified algorithms that are used in the module itself. When the testing is complete and approved, only then will NIST issue a CMVP certificate for the validated cryptographic module.

Only after this third step and being listed in the NIST Validated Modules database can a vendor truthfully claim that they are using FIPS 140-2 validated cryptographic modules.

What about “FIPS Inside”?

Some vendors will claim that they comply with FIPS 140-2 standards without undergoing the NIST CMVP certification process. They will point to what is commonly called “FIPS Inside,” which means they implement FIPS-approved crypto libraries or use FIPS-approved algorithms in their solutions, but their implementation has never been vetted by NIST itself.

While it’s possible to meet the NIST standard for FIPS 140-2 but not undergo the validation process, it’s extremely difficult for a defense contractor to determine the validity of the vendor’s claim. A contractor would have to examine the vendor’s code and ensure all algorithms and modules meet the FIPS 140-2 requirements, and validate methods that are frequently invisible to contractors such as self-tests, service access controls, error handling, entropy tests, as well as many other features beyond the encryption algorithms themselves. This testing is complicated, time consuming and costly.

Be wary of vendors who self-attest to meeting the FIPS 140-2 standard. Only a CMVP certificate ensures that you have best-in-class security when it comes to the encryption standards your vendor provides. Here’s PreVeil’s CMVP certificate. Any trustworthy vendor will be willing to show you theirs, too.

Conclusion

As a defense contractor, the ultimate responsibility for ensuring compliance lies with you. It is your responsibility to ensure that any software or hardware you use to encrypt CUI meets the critical security parameters set forth by FIPS 140-2. A reputable CSP will be able to provide you with its FIPS 140-2 certificate.

Today, many CSPs are promising contractors that they can help them meet the mandates of FIPS 140-2, NIST 800-171, CMMC, and more. The challenge is to ensure that the CSP you are considering working with actually meets DoD mandates for protecting CUI. Ask the CSP for the appropriate certification and/or documentation proving that they comply with what they say they do, and if they’ve helped contractors go through DoD assessments. Otherwise, your organization runs the risk of wasting time and money, and introducing compliance deficiencies and complexities.

To learn more

PreVeil is trusted by more than 1,000 small and mid-size defense contractors to meet its compliance needs faster and more affordably.