FIPS can sound intimidating, dense, or incomprehensible. As an MSP, depending on your client base, maintaining compliance with FIPS could be an essential part of your role. For this reason, a well-grounded understanding of what FIPS are, what they cover, and what they mean for you and your clients is essential. In this guide, we walk you through the critical background and take a look at why FIPS might affect your workflows. Let’s get started.
What are FIPS?
FIPS stands for ‘Federal Information Processing Standards’. The term refers to a series of computer security standards developed by the U.S. Federal Government in line with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. More specifically, FIPS is a security standards framework developed by the National Institute of Standards and Technology (NIST).
FIPS dictate certain requirements for a range of cybersecurity matters, including computer encryption schemes, key generation methods, computer security, and interoperability (amongst other things), and stipulate which are acceptable.
They are generally only developed in areas where there are still no industry standard guidelines for solutions to a specific government requirement.
Who uses FIPS?
Compliance with FIPS is usually only mandatory for non-military federal government agencies, contractors, and vendors. They apply specifically to departments that deal with, store, share, and disseminate sensitive but unclassified information (SBU) and data. Any agencies that are responsible for federally rolled out programs such as unemployment insurance, student loans, Medicare, and Medicaid are required to comply with FISMA (which requires compliance with FIPS). This also applies to private sector agents that have procured government contracts.
Note: they do not apply to national security systems.
However, since the FIPS are publically available, they can be, and are often, adopted by private sector actors on a voluntary basis. And in general, given it is a US However, since the FIPS are publically available, they can be, and are often, adopted by private sector actors on a voluntary basis. And in general, given it is a US government-mandated framework, it’s also widely acknowledged internationally as a robust and trustworthy security standard.
Why are FIPS necessary?
FIPS address the fact that although there are multiple different ways that you can, for example, encrypt information, not all methods are equally secure or effective. For this reason, the federal government vets and approves certain schemes that meet their requirements, and sets those as a standard for its agencies.
What are the different FIPS series?
The term ‘FIPS’ is actually an umbrella term for a number of different standards relating to specific security concerns. Here are just a few examples:
- FIPS-140-2 and 3 relate to cryptography modules
- FIPS – 201-2 – Personal Identity Verification (PIV) of Federal Employees and Contractors
- FIPS-186-4 – Digital Signature Standard
- FIPS-197 – Advanced Encryption Standards
- FIPS- 199 Relate to Standards for Security Categorization of Federal Information and Information Systems
What are FIPS-140-2 and FIPS-140-3?
FIPS-140-2 and 140-3 are both sets of standards that are frequently referred to within a cyber-security context. FIPS-140-2/3 both relate to the standard security requirements for cryptographic modules. FIPS-140-2 will eventually be replaced by FIPS-140-3, and this transition is currently underway.
- Level 1 – The lowest security level that imposes minimum requirements and requires all components to be ‘production grade’
- Level 2 – Added requirements for physical-tamper evidence as well as role-based authentication
- Level 3 – Further obligation to strengthen security against attackers, the use of identity-based authentication, as well as a physical separation between interfaces
- Level 4 – The most stringent level that necessitates robust physical security measures against environmental attacks
How are FIPS developed?
FIPS are only really developed if no acceptable industry standards already exist and where there is an explicit governmental need for them in a particular space.
First, the proposed FIPS are announced on the Federal Register, NIST’s electronic pages, and the Chief Information Officers Council page. Comments and reviews are welcomed on the proposal for a period of up to 90 days.
Following this, relevant amendments and modifications are applied to the proposed draft. Once this is complete, a justification document is prepared that contextualizes updates, modifications, or the choice to keep certain aspects the same.
Once the Secretary of Commerce has approved the proposed FIPS, an announcement to this effect is published on the NIST’s website.
When are FIPS withdrawn?
If and when industry standards are developed, then FIPS for that specific area become defunct and are withdrawn. This can also happen if a certain commercial product that lays down the standard becomes widely available.
The reason for this is that, in actual fact, governmental departments and agencies are required under the National Technology Transfer and Advancement Act (1995) to utilize technical industry standards developed by voluntary bodies rather than investing in the development of its own standards.
What does it mean to be FIPS compliant?
FIPS accreditation indicates that a certain solution meets the requirements laid out by the government regulation. If a certain IT product or solution is accredited in this way, it means that US federal agencies and their contractors can use the product immediately. To become compliant, all components of a security solution (hardware and software) must be tested and approved by a NIST accredited independent laboratory.
Why are FIPS important?
Given the rigorous testing that FIPS entail, they are considered a dependable security standard. Plus, they’re a useful baseline for any entities that need to implement security standards within their infrastructure.
When are FIPS useful for MSPs?
You may come across clients that operate under certain FIPS frameworks. This means as an MSP, you’ll have to be aware of the requisite standards and what it means to be compliant.
From a patching perspective especially, awareness of FIPS is crucial. This is because if you blindly apply patches or allow automated patching to occur, you may inadvertently allow non-compliant patches to be applied to your network.
Once they’re broken down, FIPS aren’t so intimidating. The most important thing is to keep on top of the latest developments in the regulations and standards.
See Atera in Action
RMM Software, PSA and Remote Access that will change the way you run your MSP Business