Background: What is FIPS compliance?
FIPS compliance refers to the implementation of specific data security practices outlined under the National Institute of Standards and Technology (NIST)’s Federal Information Processing Standards (FIPS). These standards cover a number of components of secure file transfer, including:
- Digital signatures
- Secure hashing
- Encryption
- Key creation
FIPS requires that organizations seeking to demonstrate compliance with the standards use cryptographic modules that are certified by an independent laboratory operating under the Cryptographic Module Validation Program. Any FIPS-validated module, like Cerberus FTP Server by Redwood, will be able to demonstrate a FIPS validation certificate as evidence that it can encrypt data for secure file transfer in accordance with the standards. (For reference, Cerberus FTP Server uses the Open SSL 3 FIPS Provider Module, Certificate 4282).
Learn more about FIPS-compliant secure file transfer in Cerberus FTP Server:
- FIPS 140-2 validation features in Cerberus FTP Server
- What is FIPS 140-2 and is it right for me? How to make FTP more secure
- What’s the difference between FIPS 140-2 and 140-3?
Who must comply with FIPS?
Within the United States. and Canada, any federal agency, its contractors, its service providers and any other organization that handles sensitive data or protected information in the administration of a federal program must be FIPS compliant. This requirement includes:
- State organizations, agencies and their subcontractors that administer federal programs
- Contractors and vendors who store or work with any sensitive data provided by federal programs
- Organizations that receive federal funding
If your organization does not fall under the categories above, FIPS compliance is still recommended. Doing so will ensure a strong level of data security and that you will have an infrastructure in place for potential business conducted at a state or federal level.
Organizations operating outside the US and Canada that do not fall under the categories above are not governed by FIPS. However, FIPS 140-3 seeks to move closer to the ISO/IEC 19790 standard, which may be more applicable.
Which types of data transfers require FIPS compliance?
Secure file transfers that involve any of the following types of data must comply with FIPS standards:
- Any data processed, collected or stored by your organization on behalf of a federal agency
- Any data provided to your organization by a federal agency
- Any data labeled as “Controlled Unclassified Information,” or CUI*
- Any of the above data for which your organization provides security protection
*Note that the CUI label is replacing a variety of former data classification categories, including “Sensitive but Unclassified,” “Personally Identifiable Information” and more. You can view a full list of CUI categories at this link, and for more on secure file transfers involving Controlled Unclassified Information, read Cerberus FTP Server’s CUI Data Transfer Compliance Guide.
What actions do I need to take to be FIPS Compliant?
The steps to achieve FIPS compliance depend on how your organization will be handling sensitive data in your secure file transfers:
- Organizations using existing data privacy and secure file transfer tools: You will generally need to demonstrate your compliance in several areas:
- Demonstrate internal information security practices: FIPS 200 establishes the minimum security requirements for federal information. Organizations seeking to prove compliance with FIPS 200 must show that their internal processes in areas like access control, data security audits, personnel security and other areas match FIPS 200 requirements.
- Use FIPS-validated cryptographic modules: If you are building a solution or providing a service using established encryption applications or tools, you must use a solution that has received a FIPS validation certificate (you can search the NIST Cryptographic Module Validation Program at this link).
- Verify the identities of all individuals accessing data: FIPS 201-3 outlines procedures for credentialing and authentication of any user who may have access to data. Organizations seeking FIPS compliance will need to demonstrate that their authentication procedures match the requirements.
- Organizations developing cryptographic modules: If you are developing a cryptographic module to meet FIPS 140-3 standards, your module must be validated by submitting it to NIST’s Cryptographic Module Validation Program.
Does FIPS compliance cover hardware and software?
Yes. In addition to the requirements discussed above that cover individuals with access to your hardware and software, FIPS 140-3 validation can be provided for hardware, firmware, software and hybrid cryptographic modules.
Where can I find FIPS documentation?
NIST maintains the latest list of FIPS at this link.
How do I know a secure file transfer solution is FIPS compliant?
You can verify a secure file transfer solution’s FIPS validation using the search page of NIST’s Cryptographic Module Validation Program. Every validated module will have a certificate number, and your secure file transfer application’s documentation should reference that certificate. As mentioned above, Cerberus FTP Server uses the Open SSL 3 FIPS Provider Module, Certificate 4282.
What other standards and regulations affect secure file transfer?
Several other US, international and industry requirements may affect your secure file transfer activities, including:
- NIST SP 800-171 R2, which governs data protection requirements for CUI, is currently the subject of third-party validation requirements under the U.S. Department of Defence’s Cybersecurity Maturity Model.
- Financial services file transfer guidelines, such as PCI DSS compliance or the EDPS’s security guidelines for financial services
- Healthcare data transfer regulations, such as HIPAA’s Security Rule in the US and the GDPR’s Recital 35.
The above is by no means an exhaustive list, but we hope it proves valuable in helping you stay compliant with secure file transfer regulations and requirements.