Engaging with the US Government technology? Learn how to streamline the FIPS 140-2 process with an intelligent switching software framework.
As the amount of data shared across platforms continues to grow exponentially, it seems every day there’s another headline about hackers stealing sensitive data. Major global companies such as British Airways, Facebook, Google, Marriott and T-Mobile all dealt with significant security breaches in 2018. In Facebook’s case, an estimated 100 million users were affected. For Marriott, it was 500 million users. Because virtually all companies that process data are vulnerable to these attacks, security has become a top priority for private and public companies intent on keeping their customer’s data safe and secure. But the standards get even more stringent when dealing with national governments—especially the United States.
Given the sensitivity of the data government agencies manage daily, the U.S. mandated a rigorous security standard in 2002 called the Federal Information Processing Standard (FIPS) 140-2. Companies are required to comply with FIPS 140-2 if they want to develop products—hardware, firmware and software—for the U.S. federal government. In addition to finished products, companies must use the FIPS standard when designing and implementing cryptographic modules that government departments and agencies operate or are operated on their behalf by contractors.
The U.S. military requires compliance with FIPS for vendors that deal with sensitive national security information, as well as government vendors that deal with personal and financial information. FIPS is well regarded around the world: Canada co-sponsored the standard and governments in Europe, South America and Asia use it as well. Regulated industries including financial services, healthcare, critical infrastructure and automotive have also begun to use FIPS to protect sensitive data, making it the gold standard when it comes to data protection and security.
This also means FIPS compliance is no cakewalk for companies. It is a rigorous security approval and certification program for cryptography developed by private companies and used by U.S. government agencies to process sensitive but unclassified (SUB) data. The FIPS guidelines and rigorous validation process ensure the company’s products are free of vulnerabilities.
There are four security levels in the FIPS 140-2 standard and each level has 11 criteria for product design and implementation. Companies must address all 11 criteria; the higher the level, the more rigorous the documentation and engineering required to achieve compliance. The eleven functional areas are:
- Cryptographic Module Specification
- Module Ports and Interfaces
- Roles, Services, and Authentication
- Finite State Model
- Physical Security
- Operational Environment
- Cryptographic Key Management
- Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
- Self Tests
- Design Assurance
- Mitigation of Other Attacks
Reach the Gold Standard with an Intelligent Switching Solution networking software
FIPS 140-2 compliance is complex, requires significant planning and resources, and can take many months to complete. We offers a licensable software framework called the Intelligent Switch Solution (ISS) that has been designed to streamline the compliance requirements. All the necessary functionality and management support for devices to satisfy FIPS 140-2 compliance requirements are designed into the ISS software. ISS is widely deployed by network equipment makers (NEMs) around the world in their switches and routers and includes network security functions for devices such as secure routers, firewalls and mission-critical switches.
Our networking software experts complement the ISS solution for FIPS compliance with over two decades of engineering experience across a broad spectrum of secure applications. Together with our software production development services, this cutting edge ISS framework can significantly reduce the uncertainty and time required to launch FIPS-compliant products.