The stakes are high when it comes to protecting the U.S. Government's most sensitive data. For this reason, the Government has created stringent standards for any technology that is used in cybersecurity solutions designed to safeguard government data.
FIPS is one such standard.
There's a lot of talk of FIPS amongst cybersecurity vendors, and you'll hear terms like FIPS certified and FIPS compliant. There's a distinct difference between the two, and we explain more in this article.
What is FIPS?
The Federal Information Processing Standard 140-2 (or FIPS 140-2) is a cryptography standard that non-military U.S. federal agencies, as well as government contractors and service providers, must comply with in order to work with any federal government entities that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
The FIPS 140-2 security standard is recognized by the U.S. and Canadian governments, as well as by the European Union.
Why FIPS 140-2 is important to both the public and private sectors
Because of the robust level of protection offered under FIPS 140-2, many state and local government agencies, as well as enterprises in the energy, transportation, manufacturing, healthcare, and financial services sectors, depend on FIPS 140-2 as their go-to cryptography module standard.
Given the importance of FIPS 140-2 to both the public and private sectors, it’s important to understand the difference between FIPS compliant or enabled and FIPS-certified or validated.
The FIPS validation process
In order to become FIPS 140-2 validated or certified, all components of a security solution (both hardware and software) must be tested and approved by one of the following NIST accredited independent laboratories:
- Advanced Data Security (San Jose, CA)
- AEGISOLVE, Inc. (Mountainview, CA)
- Acumen Security (Rockville, MD)
- atsec Information Security Corporation (Austin, TX)
- Booz Allen Hamilton Cyber Assurance Testing Laboratory (Laurel, MD)
- COACT, Inc. Labs (Columbia, MD)
- CygnaCom Solutions, Inc. (McLean, VA)
- Gossamer Security Solutions (Catonsville, MD)
- Leidos Accredited Testing & Evaluation Lab (Columbia, MD)
- Penumbra Security, Inc. (Clakamas, OR)
- UL Verification Service, Inc. (San Luis Obispo, CA)
As part of the FIPS 140-2 validation process, which generally takes 6 to 9 months, detailed documentation and source code must be sent to the testing laboratory.
If the software fails during testing, it must be fixed and the testing process must be repeated from the start.
If any portion of the software code changes, the code must be re-validated to ensure no errors have been introduced.
What does it mean to be FIPS complaint?
IT security solutions that are marketed as being "FIPS compliant" are making a claim that the product meets FIPS requirements.
In this case, some components within the product might meet FIPS requirements, but it does not mean that a NIST-approved laboratory has validated that the product as a whole meets FIPS requirements.
What does it mean to be FIPS certified?
During FIPS certification, the file transfer software and client and server applications are each independently tested to confirm they meet FIPS standards and are also checked for security vulnerabilities, predictable number generation, and reckless disposal of keys.
The GoSilent Cube portable VPN/firewall offers robust encryption protection algorithms and design and uses FIPS CAVP certified algorithms.
GoSilent deploys AES 256-bit encryption to protect sensitive data via dual tunnel, end-to-end encryption. Data never gets stored on an intermediary server, and no extra keys are ever generated.
As a fully portable, plug-and-play solution, GoSilent combines ease of use with Top Secret, government-grade protection. Today, GoSilent is protecting mission-critical intellectual property and data worldwide for public and private sectors.