For companies selling to the Public Sector, directly or indirectly, it is essential to prove that their solutions use FIPS validated encryption anywhere they use encryption. Whether FedRAMP, CMMC 2.0, Common Criteria, DOD Approved Product List (APL), StateRAMP, FISMA, or other compliance regimens, a NIST standard called FIPS 140 typically applies to any cryptography used in the solution. Without demonstrable usage of FIPS 140 validated cryptography, NIST considers any cryptographic controls no stronger than plaintext, as government agencies simply do not know how well the vendor has implemented these controls.
Suffice it to say that clearing the FIPS 140 validated cryptography requirement can often mean the difference between making the sale or not. Third-party assessment organizations (3PAOs) and public sector procurement officers will examine the evidence for the use of FIPS 140 validated cryptography. That usually entails searching NIST’s Cryptographic Module Validation Program (CMVP) website for proof of an active certificate that corresponds to the FIPS 140 validated module that a company purports to use. They will examine these certificates and their accompanying security policies for various important details. One such detail is its ‘active’ status, which proves that the cryptographic module had been properly maintained and meets all the latest FIPS 140 requirements.
The traditional approach to achieving FIPS 140 is lengthy, costly, unpredictable, distracting, and ongoing. Going for FIPS 140 validation is definitely not for the faint of heart. The process usually starts with hiring a FIPS 140 consultant because most organizations lack staff internally with FIPS 140 expertise. That consultant will work with the engineering team to advise them on how to design, develop, document, and test a cryptographic module in accordance with the latest FIPS specifications.
The company will then have to contract with and make a submission to a laboratory that NIST had approved to perform FIPS 140 testing on cryptographic modules. There will usually be some back and forth between the laboratory and the submitting organization to resolve any issues. After the lab finishes its work, it submits the module to NIST’s CMVP, where it goes into a queue for NIST CMVP testing and comments. Once CMVP review of the submitted module starts, there will be different stages of review, with comments flowing back to the laboratory. Success in the process is not guaranteed, and not all modules will make it through to become validated.
In the end, if successful, the submitted module will be FIPS 140 validated, and NIST will issue a CMVP certificate. End to end, this process can take 18-24 months or even longer. The issued certificate will say that it is good for a period of time, usually about five years. Hence the submitting organization may conclude they have “solved” the FIPS 140 validation problem for that timeframe. Unfortunately, that is not the case.
FIPS 140 requirements constantly change (e.g., algorithms become disallowed, key sizes change, etc.). That is necessary because of Moore’s Law and because the cryptanalytic techniques that adversaries have at their disposal are not standing still. In practice, about every 6-12 months, there is something called a “transition,” where all creators of FIPS 140 validated modules need to make changes to their modules and associated documentation. These artifacts then need to go through the process of being reviewed and tested by the laboratories, and then they make it through another CMVP review.
If an organization fails to do this, its certificate will not survive the transition and become what is known as “historical.” In fact, there was a transition in 2022 that roughly 50% of previously active FIPS 140 validated modules did not survive, shortening their useful lives, in many cases far earlier than their theoretical five-year sunset dates.
In layman’s terms, that means that the cryptographic module used to be compliant with the FIPS 140 standard, but it is not anymore. In many (most) cases, the government will not procure solutions that do not have active FIPS 140 validations that can be demonstrated by active CMVP certifications. In other words, an organization must keep spending time and money on an ongoing basis to remain FIPS 140 validated, as well as incur the ongoing opportunity cost of dealing with FIPS vs. focusing on its core business. Therefore, as difficult as achieving initial FIPS 140 validation may be, maintaining it over time is even more difficult.
To give you an idea of the magnitude of this maintenance challenge, as of April 2023, the CMVP database contained 4,486 certificates. Of those, NIST only classified 915, or 20%, as ‘active’ at that time. That means 3,571 certificates (or 80% of the total) were not properly maintained and cannot be used to support new government procurements!
Our next blog post looks at the difference between FIPS validated and FIPS compliant. It describes how companies using a FIPS compliant strategy run a far higher risk of their certificate going historical, shutting them out of new government deals.