Ashok V

FIPS - Federal Information Processing Standard

Ashok Vanga's photo
Ashok Vanga
·

3 min read

Understanding FIPS Standards

What is FIPS 140-2?

F1.png

Keeping sensitive data, such as Personally Identifiable Information (PII), secure in every stage of its life is an important task for any organization. To simplify this process, standards, regulations, and best practices were created to better protect data. The Federal Information Protection Standard, or FIPS, is one of these standards. These standards were created by the National Institute of Science and Technology (NIST) to protect government data, and ensure those working with the government comply with certain safety standards before they have access to data.

Why FIPS 140-2 --> Any organization that works with the U.S. Federal government must comply with this standard

Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software

FIPS is so important ?

The main organizations that are required to be FIPS 140-2 compliant are federal government organizations that either collect, store, share, transfer, or disseminate sensitive data, such as Personally Identifiable Information. All federal agencies, their contractors, and service providers must all be compliant with FIPS as well. Additionally, any systems deployed in a federal environment must also be FIPS 140-2 compliant. This includes the encryption systems utilized by Cloud Service Providers (CSPs), computer solutions, software, and other related systems. This means only those services, devices, and software that are FIPS compliant can even be considered for use by the federal government, which is one of the reasons so many technology companies want to ensure they are FIPS 140-2 compliant.

How it is related to Go for a developer ?

By default, applications written in Go use cryptographic functions from the Go standard library, which is not FIPS-validated

pkg.go.dev/github.com/minio/minio/internal/..

there are two options for us:

BoringSSL based crypto. RedHat go toolchain.

Package fips provides functionality to configure cryptographic implementations compliant with FIPS 140.

FIPS 140 1 is a US standard for data processing that specifies requirements for cryptographic modules. Software that is "FIPS 140 compliant" must use approved cryptographic primitives only and that are implemented by a FIPS 140 certified cryptographic module.

So, FIPS 140 requires that a certified implementation of e.g. AES is used to implement more high-level cryptographic protocols. It does not require any specific security criteria for those high-level protocols. FIPS 140 focuses only on the implementation and usage of the most low-level cryptographic building blocks.

If the entire product has not been tested and approved as FIPS validated, that means the product is only FIPS compliant.

Any organization that works with the U.S. Federal government must comply with this standard , All products must submit a Security Policy that outlines what the module is and how it complies with FIPS.

Thanks for Reading this

Did you find this article valuable?

Support Ashok V by becoming a sponsor. Any amount is appreciated!

FIPSCryptography