Fips 140-2

jak096

I asked our online file storage provider if our data was protected with FIPS 140-2 encryption because all I could find on their web site was AES – 256. They told me that their understanding of FIPS 140-2 was that it was something we did on our end. I have read numerous articles and am not sure if this is hardware or just a higher encryption above AES-256. Anyway, HHS (Health and Human Services) is requiring us to have our subcontractors sign a DUA (Data Use Agreement) and our online file storage provider won’t sign it. They will only send us their BA (Business Agreement) after we sign their NDA. They say their BA covers all of HHS requirements. I’m real concerned about sending the DUA unsigned by them with their BA attached. Not sure if HHS will accept that. Thinking of moving to Office 365 and moving the data to OneDrive and just say will be compliant in 30 days. Can someone please explain FIPS 140-2 or post a link that explains it clearly.

stryder144

I don't believe that production AES goes above 256 bits. FIPS 140-2 does appear to be hardware related, as I found no references to which encryption standard to use. Granted, I went through all 69 pages of the standard rather quickly, so I could have missed something.

Cyberscum

So is HHS requiring data to be stored on fips complaint or validated devices?

I'm having trouble understanding what you are asking.

If they want the devices to be good compliant that should not be too difficult.....if they want fips validated....well good luck.

Here is a nice easy read on fips

https://www.corsec.com/certifications/fips-140-2/

TheFORCE

FIPS 140-2 can be implemented in software modules or hardware modules. When its implemented in software modules it is recommended to key the keys in a separate location. More info can be found on the NIST site. I have not implemented FIPS 140-2 as it was was not required for us, but i was reading the manuals for our SIEM and it said that if you are going to enable FIPS 140-2 you cannot go back and disable it afterwards, you would need to wipe out the device and redo it, so we never enabled it. Also, FIPS 140-2 has different levels so you need to figure out at which level you want to be. Below more info.

Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules

jak096

I still don’t understand what is FIPS 140-2 compliant encryption. These are two questions from the SPI (Security and Privacy Initial Inquiry) that I’m not sure about as it pertains to our online file storage. Any no answers must have action plan and completed in 30 days.


Does applicant ensure that services which access, create, disclose, receive, transmit, maintain, or store HHS Confidential Information are maintained in the US unless all of the following requirements are met?

1. The data is encrypted with FIPS 140-2 compliant encryption

Does Applicant use encryption products to protect HHS Confidential Information that transmitted over a public network. If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required for all HHS confidential Information.


Additionally, FIPS 140-2 compliant encyption is required for Health Insurance Portability and Accountability Act (HIPPA) data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS)data.

TheFORCE

Take a look at this index, it lists the categories that one must be compliant for FIPS http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf

jak096

Thanks to all. I thinkI understand it now.

Verities

[FONT=&amp]Here's some additional information from DISA RHEL 7 STIG items that I've dealt with when implementing FIPS 140-2 compliancy on a production system:

-The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect datarequiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity,and DoD data may be compromised.

-Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

-File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows forSecurity Levels 1, 2, 3, or 4 for use on a general purpose computing system.

-DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.

All of the items are dealing with ensuring encryption strength is as high as possible and that communications are encrypted as much as possible. This is not a quick and easy approach as it requires considerable testing to ensure applications can support the encryption standards.[/FONT]