FIPS 140-2: The FIPS Inside Approach

Thu, 04/02/2020 - 15:00

FIPS is Complicated – But it Doesn’t Have to Be

The Federal Information Processing Standards, or FIPS, were formulated by the National Institute of Standards and Technology to define the cryptographic standards and methods that are sufficient for US government applications. Those cryptographic standards are well-known, reliable, and used in various combinations by many device manufacturers. But the specific standards unique to FIPS are the requirement for wireless security in US government applications and hospitals.

It’s more than this though – the standards that make up FIPS are increasingly being adopted by OEMs everywhere, even for devices that don’t operate in government facilities. The reason for this is simple: it’s an existing set of standards, the work is already done, and the cryptographic modules and methods are commonplace even outside of FIPS. As an effective, pre-designed set of security policies, FIPS is becoming very commonplace, and many manufacturers are looking for ways to design it into their devices.

There are multiple approaches to this problem. You could design your own FIPS system and attempt to have it validated by an approved lab. But this is a process which requires a deep understanding of FIPS and introduces significant time and costs in validating your design. In this post, we look at the reasons to leverage a module provider’s certification (such as our 60 Series System on Module).

An Important Distinction: Validated vs. Certified vs. Compliant

Building an approved FIPS design is much more complicated than just using a handful of established cryptographic algorithms and sending it to someone for approval. In our own implementation, it took nearly two years to progress from our early design phase to actually achieving Level 1 FIPS certification.

This is largely due to the fact that we abandoned a FIPS-validated approach in favor of a FIPS-certified approach. The difference between these two is significant. While FIPS validated was a sufficient approach for many years, NIST and the US government are increasingly insisting on full FIPS certification. This means that, while many manufacturers were previously able to implement an existing methodology and then test for approval, a more lengthy and expensive certification approach is now needed.

Many manufacturers still list themselves as FIPS compliant. It’s important to recognize that FIPS compliant is a self-designated term that has no requirements or criteria. Manufacturers often label a product FIPS compliant as a way of saying the module is ready to be validated. But this doesn’t mean that the module IS FIPS validated and, when choosing a wireless module, it’s important to know that this equates to cost, effort, and time that you’ll have to apply yourself.

FIPS Inside: A High-Value Approach

Rather than perform your own design, test, and validation to produce a FIPS-certified product, the FIPS Inside approach allows you to leverage a FIPS-certified module in your end design without re-certifying or re-testing.

This approach has four distinct advantages:

  • Cost savings: Acquiring a FIPS validation is expensive. With an incorporated FIPS-validated encryption module, you are not burdened with the full cost of FIPS testing and certification. And, if you choose to get an official FIPS certificate for your end product, the cost is far less than the original testing.
  • Maintenance is someone else’s responsibility: When you purchase FIPS-validated hardware and/or software from a reliable vendor or manufacturer, you don’t have to worry about maintenance of the FIPS certificate. FIPS certifications expire (and require re-testing) every five years. In addition, significant hardware and/or software changes require a new FIPS certification. Many module vendors offer the service of maintaining a current FIPS certification for you whether it be for the regular five-year expiration or for an unexpected hardware/software change.
  • Reduced time-to-market: Because FIPS implementation should begin early in the design stage of a product and because the FIPS certification process can take a year or more, incorporating an encryption module that already has FIPS 140-2 validation makes sense. It would greatly shorten the time-to-market of your end product.
  • Time/personnel constraints: Like we stated earlier, the FIPS validation process is complicated and difficult. And, to effectively develop a FIPS-worthy encryption module, your engineering team must know all the ins-and-outs of the cryptographic requirements for validated modules. Trusting a reliable vendor (with an experienced encryption engineering team) to develop the module frees up your engineering team to focus on other end product features.

The 60 Series SoM: A Reliable IoT Platform with FIPS Certification Onboard

Our 60 Series System on Module (SOM) is the reliable, robust, secure platform that brings IoT designs to life. With a dedicated onboard FIPS cryptographic module, the 60 Series SoM is an ideal, dedicated wireless subsystem that brings Bluetooth 5 and Wi-Fi 802.11ac to your designs.

The 60 Series SoM runs its own embedded Linux build onboard a Microchip SAMA5D36 microprocessor, making it ideal for anything from serving as a dedicated wireless module to serving as the platform for your entire IoT design. It’s our most fully featured Wi-Fi module to date and it brings full FIPS certification to your end device with no cost or impact to the host system.

To learn more about our 60-SOM, visit the 60-SOM product page.

To learn more about FIP 140-2, see our FIPS 140-2 white paper.