To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST Special Publication (SP) 800-63B, which requires the use of FIPS 140 validated encryption for MFA tools. While agencies may accept risk by allowing a CSP to work through POA&M actions to achieve compliance with NIST SP 800-63B requirements, a Readiness Assessment Report (RAR) has no authorizing official to accept and approve risk for open POA&Ms. A FedRAMP Ready designation indicates to agencies that a cloud service can be authorized without significant risk or delay due to noncompliance. The use of FIPS 140 validated cryptographic modules, where encryption is required, is a federal mandate, as indicated in the RAR template. This applies to MFA tools as well.
The FedRAMP PMO has provided additional resources below that apply to all MFA tools, where required (authenticators and verifiers).
MFA resources:
1. The NSA published a paper last year, Selecting Secure Multi-factor Authentication Solutions, addressing popular MFA offerings and their status on meeting NIST requirements; CSPs may find this helpful to assist in identifying FIPS 140 validated MFA solutions. As indicated, this is not a FedRAMP developed document and FedRAMP does not control the currency of the information.FIPS 140 is not an easy prerequisite and with the swiftly changing landscape, it's more important than ever to have a strong partner to handle the issues as they crop up. SafeLogic's team addresses everything on your behalf, from sunset dates and algorithm transitions to operational testing and security patches. If you are a CSP, with or without MFA, don't hesitate to reach out. Let's discuss how you're tackling FIPS 140 and whether you need ongoing assistance from dedicated experts!