FIPS 140-2 for software: How it relates to FedRAMP approval
The Federal Information Processing Standards (FIPS) 140 is a set of standards for cryptographic modules used to protect sensitive data for the federal government.
The validation process is performed by third-party laboratories that certify both software and hardware implementations. This includes effects of electromagnetic interference on systems to personnel gaining physical access to protected systems.
Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP uses a common framework making it possible for agencies and service providers to reuse authorizations. Approve once, deploy anywhere!
The FedRAMP documentation is a collection of security controls based on National Institute of Standards and Technology (NIST) SP 800.53. It outlines security control requirements and the level of compliance. This publication contains over 400 controls ranging from account management to incident response.
Why does FedRAMP use NIST SP 800.53?
This publication documents industry best practices on safeguarding Information Technology (IT) systems. Today, NIST SP 800.53 is the de facto standard for IT control baselines in the federal government.
One of the key benefits of FIPS 140 is that it can aid in the process of achieving FedRAMP approval. So, what’s the caveat? Any third-party software like Kubernetes, Istio and others do not simply inherit the service provider’s FIPS certification. Each software or hardware vendor is responsible for certifying their solution to ensure compliance with the NIST standard.
Where does FIPS 140 fit into the FedRAMP process?
An important key to understanding the FedRAMP process are the controls required to meet and or exceed the certification process. One specific control pertaining to the protection of sensitive data and the use of cryptographic modules is SC-13.
SC-13 under the “System and Communication Protection” category includes guidance on the use of cryptography. Under this guidance, any use of cryptographic modules requires the organization to meet federal standards and policies. The use of FIPS validated cryptographic modules demonstrates the modules have been properly implemented according to NIST standards and are trustworthy to protect sensitive information.
FIPS validation helps accelerate your FedRAMP approval process including related controls. SC-13 is applicable to all FedRAMP impact levels. Not to mention, it is related to 28 additional controls, all of which are linked to the use of cryptographic modules. (See the list of controls below).
SC-13 related controls per NIST SP 800.53
| Control Family | Control No. |
| Access Control | AC-2, AC-3, AC-7, AC-17, AC-18, AC-19 |
| Audit and Accountability | AU-9, AU-10 |
| Configuration Management | CM-11 |
| Contingency Planning | CP-9 |
| Identification and Authentication | IA-3, IA-5, IA-7 |
| Maintenance | MA-4 |
| Media Protection | MP-2, MP-4, MP-5 |
| System and Services Acquisition | SA-4, SA-8, SA-9 |
| System and Communication Protection | SC-8, SC-12, SC-20, SC-23, SC-28, SC-40 |
| System and Information Integrity | SI-3, SI-7 |
What about the other 300+ controls?
The Gloo Platform, powered by Istio, uses a declarative approach to reducing the complexity of compliance including controls outside the FIPS related mappings. Our platform implements advanced levels of security, enabling teams to reliably deploy applications securely at scale without sacrificing time to authorization.
Learn about distroless FIPS-compliant Istio.
FIPS 140-2 enabled software and FedRAMP certification
Want to go in more depth on FIPS 140-2 and how it relates to FedRAMP certification? On February 8th, Gregory Erb and I will be holding a webinar to discuss the need for FIPS-enabled software and how the Gloo Platform provides advanced levels of security – enabling teams to deploy and manage applications securely at scale.
In this webinar, you will learn about understanding your architecture when it comes to verifying FIPS mode for OS, Kubernetes, and service mesh. This includes identifying:
- Points of ingress and egress
- Insecure/vulnerable protocols like HTTP and gRPC
- Gaps and mapping controls
We will also cover how to implement controls, including:
- Demonstrating how Gloo Platform can help automate compliance using GitOps
- Verifying use of specific ciphers
- Applying policy as code e.g.; External AuthN/Z, mTLS, Open Policy Agent for authorization
Join us on Feb 8, 2023 at 1pm EST for this online event. Register for the FIPS and FedRAMP webinar here.
