The Scoop on FIPS 140-2

by Walter Paley, VP Marketing at SafeLogic

In the culmination of SafeLogic’s partnership with BlackRidge Technology, Federal Information Processing Standard 140-2 (FIPS 140-2) validation certificate #3151 was completed on March 14, 2018. I’m happy to be here as a guest blogger from SafeLogic to share some background on the FIPS 140-2 program and why we’re so excited about this!

FIPS 140-2 is the second iteration (hence the ‘dash two’) of a standard written to provide a minimum level of cryptographic strength for use within the federal government. Not to be confused with NSA Suite A encryption, used for classified information and so secretive that even the algorithms themselves are classified, FIPS 140-2 was intended for, well, everything else in the government. Technically termed Sensitive But Unclassified (SBU), these federal operating environments range from data centers to mobile devices, with use cases from expense reports to VA health records, and they have all been standardized and mandated to deploy encryption that has been reviewed and certified to meet the benchmark of FIPS 140-2. All other cryptography has not been proven to be any better than plaintext and treated as such.

It makes a lot of sense that the federal government would want SBU data to be encrypted to a uniform minimum level, and the establishment of the Cryptographic Module Validation Program (CMVP) organized that mechanism. The CMVP is operated in tandem by NIST (the U.S. National Institute of Standards and Technology, also responsible for writing the original standard) and CSE (Canada’s equivalent, the Communications Security Establishment). The CMVP’s role is to confirm the results provided by independent third party testing labs and to issue the validations when earned.

The CMVP offers four levels of validation and several types, including software, hardware, and hybrid. Many folks mistakenly believe that the ‘dash two’ in FIPS 140-2 represents a Level 2 validation, but as mentioned above, it’s just the version number of the standard. The levels themselves are a bit of a misnomer as well, as they do not stack in a clear gradient. Level 2 validations are not necessarily indicative of higher security or superiority over Level 1, but address different applicable security controls. Tamper-proof seals, for example, have no relevance for software such as the BlackRidge Technology Cryptographic Module, but certainly would be a priority for a hardware module that is physically exposed in deployment.

This brings me to an interesting point about FIPS 140-2 and BlackRidge’s validation. As I mentioned, certificates are administered by the CMVP – the Cryptographic Module Validation Program. While other security assessments are concerned with more broad parameters (Common Criteria is a good example), FIPS 140-2 is only concerned with encryption. Our partners at BlackRidge Technology have embraced SafeLogic’s strategy of intense focus on the cryptographic module, carefully setting a narrow validation boundary and avoiding scope creep. As a result, they will avoid future compliance issues by restricting FIPS 140-2 testing to the isolated software module and reap major development time and cost benefits. BlackRidge products can be updated and released at the speed of innovation and still deploy FIPS 140-2 validated encryption without fear of incurring revalidation because the tested module has remained static.

BlackRidge solutions that are game-changers in the private sector will now be available to federal agencies – and not in the traditional way, delayed a year or so for a government version. I’m talking fast! The government is facing the same challenges (and more) that are being addressed in the private sector and they need solutions that are both on the cutting edge and meet the stringent requirements for procurement. Those are not easy initiatives to balance, and BlackRidge is doing exactly that. So yeah, this announcement that BlackRidge Receives FIPS 140-2 Government Validation is a pretty big deal. Congratulations to the entire BlackRidge Technology team!

Walter Payley