Digging deeper into FIPS and FedRAMP Compliances

In an earlier article, we listed some of the Compliance and Regulatory standards required by Public Sector companies in the U.S. Here we dig deeper into two of these regulations - FIPS and FedRAMP.

Federal Information Processing Standards (FIPS)

FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA). Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards. The most current FIPS can be found on NIST’s Current FIPS webpage and some of them are listed here-

Federal Risk and Authorization Management Program (FedRAMP)

The FedRAMP was established to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. It empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. It is the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.

FISMA requires agencies to protect federal information. The Office of Management and Budget (OMB) states that when agencies implement FISMA, they must use NIST standards and guidelines. The FedRAMP Authorization Act establishes a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.

FedRAMP is not a certification program. Before a cloud service can be considered for an Authorization to Operate (ATO) by the FedRAMP Joint Authorization Board (JAB), the Cloud Service Provider (CSP) must have the candidate service assessed under the FedRAMP program. A Third-Party Assessment Organization (3PAO) assesses the candidate service against the security and privacy controls defined in the latest revision of NIST Special Publication (SP) 800-53 and additional control enhancements required by FedRAMP and reports its findings to the JAB. The JAB subsequently decides if the cloud services will be awarded an ATO. This process is a risk assessment, and no certificates are ever issued. Ensuring that CSPs are adhering to the FIPS 140-2 validated standard is a critical element in FedRAMP authorization success.

FIPS Compliant Vs FIPS Validated

FIPS Compliant means that the vendors claim they meet the FIPS 140-2 requirements (encryption libraries). These products have not yet gone through the full, independent National Voluntary Laboratory Accreditation Program (NVLAP) review with respective protection profiles. FedRAMP has made it clear that they will not accept products that are compliant only – they must also be validated by an approved NIST NVLAP laboratory. Whereas FIPS Validated means that the software (and/or hardware) must be independently validated by one of the 13 NIST NVLAP laboratories. This validation is to ensure the cryptographic module within the product meets all the FIPS 140-2 requirements. Leveraging a FIPS 140-2 validated product is required, but it does not automatically mean you have met the requirement just because the product is FIPS 140-2 validated. You must also ensure that it is configured to operate in FIPS mode.

More details at:

• https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips

• https://www.fedramp.gov/program-basics/

• https://fortreum.com/fips-fedramp-what-you-need-to-know/

• https://blogs.oracle.com/security/post/fips-fedramp-explained