Morioh
Login
Vern Greenholt

Vern Greenholt

3 years ago

If you work in government or a regulated industry, you’ve no doubt heard of the Federal Information Processing Standards, perhaps better known by the acronym FIPS. FIPS is a very broad set of standards publications, but in the software industry the term usually refers to the publication specifically about cryptography, FIPS 140-2 Security Requirements for Cryptographic Modules. FIPS 140-2 is a product of the joint effort between the United States and Canada called the Cryptographic Module Validation Program. It standardizes the testing and certification of cryptographic modules that are accepted by the federal agencies of both countries for the protection of sensitive information.

FIPS 140-2 defines four security levels (1–4) which correlate to the level of protection a FIPS‑certified module must provide.

  • Security Level 1 relates specifically to software cryptographic modules. It stipulates which cryptographic algorithms may be used and the self‑tests that must be conducted to verify their integrity.
  • Security Levels 2–4 require different degrees of physical security, such as tamper‑evident coatings or seals, and so don’t apply to software solutions on customer‑selected hardware. These levels also require role‑based or identity‑based authentication.

Why FIPS Compliance Matters

The consequences of processing sensitive information in a non‑compliant fashion can be severe. At best, it can mean the loss of a valuable contract with an organization that requires FIPs compliance, such as the U.S. Federal government. At worst, it can lead to theft of personal information or national security documents. Although FIPS 140-2 is a North American government certification, it has become a global cryptographic baseline for:

  • Numerous programs and regulations which depend in some way on FIPS 140-2 validation (including HIPAA, PCI DSS, FedRAMP, FISMA, DFARS, CMMC, DoDIN APL, Common Criteria, NSA CSfC, and HITECH)
  • Regulated industries (banking, finance, critical infrastructure)
  • At least 16 countries outside North America that base their cryptographic requirements on FIPS 140-2 (including Australia, Belgium, Denmark, France, Germany, Israel, Italy, Japan, Netherlands, New Zealand, Norway, Singapore, South Korea, Spain, Sweden, and United Kingdom)

#blog #tech #nginx plus #security

Achieving FIPS Compliance with NGINX Plus - NGINX

nginx.com

Achieving FIPS Compliance with NGINX Plus - NGINX

It standardizes the testing and certification of cryptographic modules that are accepted by the federal agencies of both countries for the protection of sensitive information.

3.05 GEEK