FIPS 140-2 compliance
This section discusses FIPS 140-2 and how to configure and use XProtect VMS to operate in FIPS 140-2 compliant mode.
The terms “FIPS 140-2 compliant” and “FIPS 140-2 compliant mode” are not legally binding. The terms are used here for clarity.
FIPS 140-2 compliant means that software uses FIPS 140-2-validated instances of algorithms and hashing functions in all instances in which encrypted or hashed data is imported to or exported from the software. Additionally, this means that software will manage keys in a secure manner, as is required of FIPS 140-2-validated cryptographic modules. The key management process also includes both key generation and key storage.
FIPS 140-2 compliant mode refers to software that contains both FIPS-approved and non-FIPS approved security methods, where the software has at least one “FIPS mode of operation”. This mode of operation only allows for the operation of FIPS-approved security methods. This means that when the software is in the “FIPS mode”, a non-FIPS approved method is not used in lieu of the FIPS approved method.
The following topics are discussed.
What is FIPS?
Federal Information Processing Standards (FIPS) are a family of standards developed by the following two government bodies:
- The National Institute of Standards and Technology (NIST) in the United States
- The Communications Security Establishment (CSE) in Canada
These standards aim at ensuring computer security and interoperability.
All software solutions deployed in government and highly regulated industries in the United States and Canada are required to comply with FIPS 140-2.
What is FIPS 140-2?
FIPS 140-2, titled “Security Requirements for Cryptographic Modules,” specifies which encryption algorithms and which hashing algorithms can be used and how encryption keys are to be generated and managed.
The security requirements specified in this standard are intended to maintain the security provided by a cryptographic module, but conformance to this standard is not sufficient to ensure that a particular module is secure. The operator of a cryptographic module is responsible for ensuring that the security provided by the module is sufficient and acceptable to the owner of the information that is being protected, and that any residual risk is acknowledged and accepted.
Which XProtect VMS applications can operate in a FIPS 140-2 compliant mode?
As of XProtect VMS 2020 R3, all encryption algorithms have been replaced with Microsoft’s Cryptography New Generation (CNG), which adheres to the latest security technologies available and is FIPS compliant. That is, all XProtect VMS 2020 R3 applications can operate in FIPS compliant mode.
For the sake of backward compatibility, some non-compliant algorithms and processes persist in XProtect VMS, even after version 2020 R3, but this does not affect the ability to operate the system in FIPS compliant mode.
Is XProtect VMS always FIPS compliant?
No. Some non-compliant algorithms and processes persist in XProtect VMS. But, XProtect VMS can be configured and operate so that it uses only the FIPS 140-2 certified algorithm instances and thereby operate in a FIPS compliant mode.
Should you enable FIPS 140–2 mode?
Before enabling the FIPS 140–2 mode it is necessary to understand whether you need it or not. For instance, if you are working and connected to a US or Canadian government network and infrastructure, then it is mandatory to comply with FIPS 140–2 and enable it on your computer for communication as per the standard. Furthermore, enabling FIPS 140–2 mode on your Windows operating system restricts many programs and services from running, since only FIPS-approved algorithms and services will be supported after that. Therefore, it is advised to check whether there is a necessity or not.