FIPS & IPS Containers
A Good Fit
First off, by definition, FIPS stands for Federal Information Processing Standard. FIPS is a publicly announced form of standardization developed by the U.S. federal government for use in their computer systems. They are used by all non-military government agencies and governmental contractors. Many of the FIPS are modified versions of standards used by such groups as the ISO, ANSI and IEEE. They are used for tasks such as; encoding data, formerly with geographic and country codes and more significantly, work with the encryption process (document processing, algorithms and information technology).
Since the early ‘90s, the FIPS has been used primarily by the National Institute of Standards and Technology (NIST) for federal computer systems but they are applied government-wide. The NIST develops FIPS standards when there are compelling federal government requirements for such areas as security and interoperability and there are no acceptable industry standards/solutions already available. The major focus concerns information technology; the development of tests, proofs of concept, reference data and other technical tools that support the creation of pivotal, forward-looking technology. NIST and the FIPS also address the need for cost-effective security and privacy.
A FIPS is adopted through procedures modeled after those used by the Administrative Procedures Act. First they announce the new FIPS through the Federal Register for public review and comment, and then there is a 30 to 90 day review period where comments and suggestions are taken and determinations are made for any potential changes. A detailed justification document is prepared which analyzes the comments made and explains any changes to the standard. Then the NIST submits the standard for approval to the Secretary of Commerce and if approved, it will be compulsory and binding for federal use. Finally, an announcement is made online and in the Federal Register about the approval.
For more detailed information, the FIPS homepage can be found here.
The FIPS standard that K.L. Security wants you to know about is FIPS series 140; the Security Requirements for Cryptographic Modules. NIST developed this standard to coordinate the requirements for modules and address both hardware and software concerns by agencies in the U.S. government. The 140 series was first developed in 1994 and upgraded in 2001.User agencies that want to implement cryptographic modules should confirm that the module is covered by a FIPS 140-1 or 140-2 validation certificate which specify the exact module name, hardware, software, firmware and/or applet version numbers; for higher security levels, the operating system must also be listed. The use of validated cryptographic modules is required by the U.S. government for all unclassified uses of cryptography. FIPS 140 is also endorsed by the government of Canada.
The FIPS 140-2 series has four levels of security and eleven areas of requirement.
Security level 1 has very limited requirements. All components must be production-grade and various egregious kinds of insecurity must be absent. Level 2 adds requirements for physical tamper-evidence and role-based authentication. In level 3, there are requirements for physical tamper-resistance and identity-based authentication. Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks.
The eleven areas of requirement are; cryptographic module specification, cryptographic module ports and interfaces, roles/services/authentication, finite state model, physical security, operational environment, cryptographic key management, EMI/EMC, self-tests, design assurance and mitigation of other attacks.
FIPS 140-3 is currently in development and a full account of the current 140-1/2 series publication can be found here.
Why are we interested in telling you about FIPS? Because we offer equipment that works very well with the requirements set out by the standard. The fact of the matter is that if you have to have a secure place to put cryptographic modules. We offer a line of GSA-approved IPS containers that are perfect for in the office or in the field. The IPS 30-39-24 is great for the storage of SIPRNET and NIPRNET communications as well as computer equipment, network servers and encryption devices. The IPS 54-39-24 is larger and can accommodate 47 1/8” of rackmount equipment and the IPS 54-45-24 can hold several servers and is ideal for larger computer equipment. For smaller or more mobile needs; check out the IPS 23-36-19; which can hold small routers, cryptographic equipment, laptops, notebooks/netbooks. All of these Hamilton products are GSA-approved and we’re proud to have them.
If you’re a government vendor, then we can help you meet the FIPS requirement and provide extra security.