Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
FedRAMP FIPS 140 Compliance
Understanding FIPS 140 Requirements for FedRAMP
The U.S. Federal Risk and Authorization Management Program (FedRAMP) was created in 2011 to provide a standardized approach for assessing, monitoring, and authorizing Cloud computing products and services under the Federal Information Security Management Act (FISMA).
FedRAMP’s stated goal is to enable “agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective Cloud-based IT”.
In January 2023, the President signed the FedRAMP Authorization Act as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.
FedRAMP Provides Efficiency and Synergy for Government Agencies and Cloud Service Providers
By standardizing the FedRAMP FIPS requirements, disparate agencies can reap the benefits of selecting products from a pool of already-vetted Cloud solutions, accelerating deployment and simplifying the process.
Since FedRAMP’s standardized security framework is recognized by all executive branch federal agencies, IaaS, PaaS, and SaaS vendors only need to go through the FedRAMP Authorization process once for each of their Cloud Service Offerings (CSOs).
FedRAMP, like so many other U.S. federal technology governance requirements, is tied directly to the frameworks established by the National Institute of Standards and Technology (NIST).
FedRAMP relies on NIST’s Special Publication (SP) 800-53 for best practices in federal information systems and organizations. Adhering to FedRAMP FIPS compliance requirements is crucial. Hence, FedRAMP can be interpreted as “clarifying 800-53 controls for Cloud deployment.”
Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters and guidance above the NIST baseline that address the unique elements of cloud computing.
FedRAMP security controls and enhancements were selected from the NIST SP 800-53 catalog of controls by the FedRAMP Joint Authorization Board (JAB) based on the FedRAMP Program Management Office (PMO) analysis.
The JAB then layered additional guidance and requirements around these controls. The controls were selected to address the unique risks of Cloud computing environments, such as multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.
The FedRAMP security controls, enhancements, parameters, and requirements are arranged in tiers based upon the four FedRAMP Security Controls Baselines – Tailored, known as Low Impact Software as a Service (LI-SaaS), Low, Moderate, and High.
They are organized into seventeen (17) control families and each increasing level adds to the controls required for from the lower security control baseline.
Federal Agencies and their Cloud Service Providers (CSPs) are mandated to implement these security controls, enhancements, parameters, and requirements to satisfy the unique requirements of Cloud computing for the Federal Government.
IaaS, PaaS, and SaaS Providers Must use FIPS 140 Validated Cryptography for Encryption to Obtain their FedRAMP Certification
FedRAMP is designed for federal agency procurement streamlining, so the encryption requirements conform to federal mandates.
There are three (3) critical controls that have been mapped from NIST 800-53 that are required at every FedRAMP baseline and in which encryption is addressed:
- IA-7 Cryptographic Module Authentication
- SC-12 Cryptographic Key Establishment and Management
- SC-13 Cryptographic Protection
NIST security controls across all their publications always reference the NIST standards written for cryptography – Federal Information Processing Standard 140, now in the process of transitioning from its second revision, FIPS 140-2, to its third, FIPS 140-3.
This states that in all cases, if encryption is employed as a mechanism to meet a security requirement, it must be FIPS 140 validated under the Cryptographic Module Validation Program (CMVP).
You can never go wrong with FIPS 140-2 validated encryption in federal government deployments or when satisfying NIST requirements.
SafeLogic's FIPS Validation-as-a-Services Meets FedRAMP Requirements
Getting your own cryptography software reviewed, tested, validated, and certified by NIST can take as long as two years, not counting the time required to develop the software. SafeLogic literally cuts the time required to achieve NIST certification from two years to two months, then keeps your certification active over time with these three key capabilities.
CryptoComplyTM
CryptoComply is SafeLogic’s flagship software, a family of FIPS 140 validated cryptographic software modules. They deliver “Drop-in Compliance” as direct replacements for popular open-source crypto providers.
Click to learn more about CryptoComply
RapidCertTM
SafeLogic revolutionized the FIPS industry twelve years ago with RapidCert, the industry's first expedited rebranding program. Get a FIPS certification in your name in only two months with RapidCert.
Click to learn more about RapidCert
MaintainCertTM
Now SafeLogic is revolutionizing FIPS again with MaintainCert. FIPS certificates go ‘historical’, meaning they are no longer valid, all the time. Not with MaintainCert, SafeLogic’s new white-glove support service.
Click to learn more about MaintainCert
Watch SafeLogic CEO Evgeny Gervis Discuss FedRAMP Modernization and FIPS 140-3
On August 22, 2024, the Alliance for Digital Information held an event focused on aligning security and compliance with the Office of Management and Budget's (OMB's) final memo on modernizing the FedRAMP program. Evgeny’s portion of the panel discussion starts at the 1:35 mark.