Federal Information Processing Standard 140-2 (FIPS 140-2) is a requirement for U.S. government organizations and contractors, a government security mandate designed to evaluate and approve encryption solutions serving the federal supply chain. It calls for security by a cryptographic module, and employs a security accreditation program for assessing private sector company security solution capabilities against the FIPS standard.
Developed by the National Institute of Standards and Technology (NIST), the FIPS 140-2 standard “shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract.”
The security requirements cover areas related to the secure design, implementation and operation of a cryptographic module. The requirements specifically name cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operating environment; physical security; non-invasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. https://csrc.nist.gov/publications/detail/fips/140/3/final
In addition, because FIPS 140-2 is required for all federal systems or systems processing federal data, it’s definitely a piece of FedRAMP (along with any other federal requirements regiment like NIST 800-171 and NIST 800-53).
FIPS 140-2 and updated FIPS 140-3 represent a legislatively mandated standard, so the government agency and vendor serving that agency must be FIPS 140-2 compliant. Atomic OSSEC from Atomicorp provides in-solution FIPS support for these federal customers and contractors.
Atomic OSSEC for FIPS 140-2 Requirements
The Atomic OSSEC intrusion detection system is not only fully FIPS 140-2 compliant out-of-the-box, it also provides government agencies, independent software vendors, and equipment vendors with additional tools for assessing, implementing, and enforcing FIPS compliance elsewhere on any system on which the agent is installed:
- Atomic OSSEC leverages the FIPS-validated cryptographic library packaged with the operating system, such as:
- Windows – cng.sys, bcryptprimitives.dll and ncryptsslp.dll
- Linux – kernel, OpenSSL, OpenSSH, GnuTLS, libgcrypt, libssh
- Atomic OSSEC uses AES-256 as the data transport, using the native openSSL package. Community OSSEC uses Blowfish, which is considered to be weak.
- Atomic OSSEC has several compliance checks to determine if the system-wide cryptographic policy is not classified as ‘legacy.’
- Atomic OSSEC has some additional application-specific checks for FIPS compliance.
- Atomic OSSEC’s system inventory module can help you locate and determine version information for cryptographic packages installed on a system.
Ease of use is also a benefit, especially as part of Atomicorp’s SaaS option for Atomic OSSEC. You basically install the Atomic OSSEC agent (and hub), put systems into FIPS mode via kernel options, and you’re good to go.
FIPS 140-2 compliance is a complex topic, but Atomic OSSEC makes it easy. Once the Atomic OSSEC hub is deployed in your environment (or you have configured the Atomic OSSEC SaaS), just install the agent, put systems into FIPS mode via kernel options, and review any FIPS-related events that are generated. You’ll have your environment compliant fast.
Get a demonstration today.
Visit the Atomic OSSEC page.