October 18, 2012

What is FIPS 140?

Information security is paramount in the Cloud Computing business. For anyone learning about, planning on moving to, or already in the Cloud, it’s important to know about FIPS 140 certification and the role it plays for information security. What does it mean when software and hardware is FIPS 140 certified? The National Institute of Standards and Technology (NIST) established FIPS 140, short for Federal Information Processing Standard, as a US Government standard and general requirement for any security equipment/system (hardware, firmware, software, or a combination) used by agencies to protect sensitive yet unclassified information. Cryptographic modules themselves, as well as their documentation and source code elements, are included in these standard requirements. FIPS 140 requirements include four security levels and eleven requirement areas: 4 Security levels

  • Level 1: The lowest of the levels, Level  1 specifies basic security requirements for a cryptographic module. No physical security is required, beyond production-grade equipment.
  • Level 2: Security Level 2 improves upon Level’s 1 physical security requirements and also uses role-based authentication.
  • Level 3: Level 3 employs further-enhanced physical security, identity-based authentication, and stronger requirements for entering/outputting critical security parameters.
  • Level 4: With the highest security standards of the levels, most existing products do not meet Level 4 security requirements.  It is the most useful for operation in a physically unprotected environment (where an intruder could tamper with the device), and also protects a module against environmental safety concerns, such as extreme voltage and temperature.

11 Requirement areas:

  • Cryptographic module specification: What requires documentation
  • Cryptographic module ports & interfaces: What information moves in/out and how it should be separated
  • Roles, services, & authentication: Who does what with the module, and how it’s checked
  • Finite state model: which high-level states can the module be in, and transition explanation
  • Physical security: resistance against tampering and environmental conditions
  • Operational environment: type of operating system used
  • Cryptographic key management
  • EMI/EMC: Electromagnetic Interference/compatibility
  • Self-tests: what and when to test, and what to do if a test fails
  • Design assurance: what documentation is necessary to show it was well-designed and implmented
  • Mitigation of other attacks

User agencies need to confirm that modules in use are covered by a FIPS 140 validation certificate, which specifies the module name, equipment, and version numbers. Vendors do not always maintain their baseline validations, so it is important to ensure their certifications comply with standards to keep your data secure.

How CPAs Can Mitigate Cybersecurity Risk During The Extended Tax Season

Tax season is the busiest time of year for CPA firms. Unfortunately, it’s also a busy time for hackers looking to target CPAs during this frenzied..
April 20,2021

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like this, it would be a better world...

- Mid-sized
View All

One of the things we appreciate wholeheartedly about working with Cetrom is how great the people in the service area are and the high-level of responsiveness we have received. I’ve been very pleased..

- Mid-sized
View All

Cetrom’s services and support really stood out against the other cloud vendors. We thought their Citrix delivery platform would have a higher level of adoption because our employees would have the..

- Mid-sized
View All

Our accounting services users working in the field have greatly benefited from our migration to the cloud. They’re now able to be much more efficient while working in a client’s office because they..

- Mid-sized
View All

The decision to migrate to the cloud was one of the best business decisions Rub & Brillhart has made. It required an investment, but we have determined that our year two IT costs will be reduced by..

- Midwest
View All

Our migration process with Cetrom was very smooth and we had an excellent experience with their support during the demo process. We have 24/7 monitoring on our onsite equipment and they have the..

- Small
View All

We are extremely happy with the service and support we receive from Cetrom. Our staff is more efficient overall in our day-to-day activities and we don’t have any downtime. It’s a good feeling..

- Mid-sized
View All

Cetrom is an extremely cost-effective option for IT services. Not only do we receive significantly improved customer service, but we were also able to add a new VoIP system, better internet service,..

- Mid-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- Mid-sized
View All

We use two programs that often posed a challenge for our previous IT providers. Cetrom handled the situation professionally, coordinated with the software vendors, did all the backend testing, and..

- Mid-sized
View All

After interviewing and reviewing the proposals from various IT providers, it was really a night and day comparison about price, service, and performance—Cetrom was just outshining the others on every..

- Mid-sized
View All

I just want to drop you a line and let you know how pleased we are with our move to Cetrom. Your people knocked it out of the park for us and are doing a great job getting us up and working. On our..

- Small-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- 97%
View All

Cetrom’s Cloud Computing offers a high-quality, reliable and secure alternative to traditional IT management and provides immediate access to all my IT resources whether I’m in the office, at home or..

- High-quality,
View All

blog Archives

See all

How CPAs Can Mitigate Cybersecurity Risk During The Extended Tax Season

Tax season is the busiest time of year for CPA firms. Unfortunately, it’s also a busy time for hackers looking to target CPAs during this frenzied..
April 20,2021

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like...

- Mid-sized
View All

Blog Archives

See all
Is Cetrom Your Cloud Services Solution?