FIPS: What is it? Why is it Important?
FIPS stands for Federal Information Processing Standards, a set of computer security standards established by the US federal Department of Commerce’s National Institute of Standards and Technology (NIST). The goal of FIPS is to create a uniform level of security for all federal agencies in order to protect sensitive but unclassified information—a large portion of the electronic data not considered secret or higher.
Of most interest to microwave backhaul users are two particular FIPS standards, FIPS 197 and FIPS 140-2. FIPS 197 is straightforward enough: it provides the definition of the Advanced Encryption Standard (AES), which is the basis of so much of the security industry. Many security products from IT vendors are validated FIPS 197 through an organization within NIST called the Cryptographic Module Validation Program (CMVP) that reviews and verifies the testing results of independent labs that put participating company’s cryptographic modules through their paces.
It still begs the question, “Why is FIPS important?” The answer is simple. Rather than take your telecom vendor’s word that its products are secure and will properly protect your payload and network management traffic, FIPS is an assurance backed by the full faith of the United States government that FIPS-validated security solutions defend your electronic information thoroughly within the context of how the solutions were designed and manufactured.
However, not all FIPS validations are created equal. FIPS 140-2 that sets the standard for the Security Requirements for Cryptographic Modules has different levels of validation. For example, a cryptographic module that is validated FIPS 140-2 Level 1 provides that basic level of security by encrypting data going through it to the level of protection provided by AES. However, a cryptographic module that is validated to FIPS 140-2 Level 2 not only provides AES electronic encryption but also physical security of the device itself. This means that a FIPS 140-2 Level 2 validated cryptographic module cannot be tampered with unless the seals on the solution housing are broken in which circumstance the so-called cryptographic officer will know immediately information security has been compromised and she can the take action at once to remediate any data breach.
FIPS 140-2 validated cryptographic modules are required by law for all US federal agencies that handle sensitive but unclassified information. And other industry verticals are making FIPS 140-2 Level 2 a nonnegotiable item for their backhaul security including financials, healthcare industry, legal services, mobile operators and public safety.
Face it: We live in a more and more insecure world. Whether you are a common carrier, a first responder agency or a multi-site hospital system, your customers have been hyper-sensitized about security and expect you do to everything possible to protect theirs. If you don’t have FIPS-validated security on your backhaul now, they may force it on you later. Get ahead of the curve and look into implementing FIPS solutions today.
For more information on FIPS, download the Aviat Networks primer on FIPS.