Cloud customers and prospects often inquire about whether a specific cloud solution is compliant with Federal Information Processing Standards (FIPS) and FedRAMP. For example, they ask:
- “Is this cloud Federal Information Processing Standard (FIPS)-140 compliant?”
- “Is it Federal Risk and Authorization Management Program (FedRAMP) certified?”
These questions result from an incorrect assumption. This is because a cloud solution cannot be “FIPS-140 compliant” and a “FedRAMP certification” doesn’t actually exist. Compliance with the requirements of FIPS-140 and FedRAMP is commonly misunderstood.
While this may seem like a semantic discussion, understanding the correct terminology and approved mechanisms for demonstrating compliance is critical in determining that a cloud solution can meet FedRAMP requirements. This blog entry is intended to provide a high-level overview of the FIPS-140 standard, the FedRAMP program, and how they relate to each other.
What does it mean to be FIPS-140 validated?
FIPS 140 is a standard developed by the National Institute of Standards and Technology (NIST) in the U.S. This standard provides requirements for cryptographic modules. All cryptographic modules used in the U.S. for sensitive information and in Canada for protected information must be compliant with the FIPS 140 standard. The International Standards Organization (ISO) used FIPS 140 in its development of the ISO/IEC 19790 standard.
There have been three major versions of FIPS 140 with the latest version – FIPS 140-3 – effective September 22, 2020. See FIPS 140-3 Security Requirements for Cryptographic Modules.
A cryptographic module is only FIPS 140 validated when it has been through the Cryptographic Module Validation Program (CMVP) process and is posted on the NIST Validated Modules List. FIPS validations are jointly managed by the U.S. and Canadian governments through the CMVP. Customers should be aware that, if a cryptographic module is not on this list, then the U.S. government will treat data encrypted with that module as plaintext and therefore unprotected. Oracle has published more information about FIPS on the Oracle Security Evaluation FIPS overview web page.
What does it mean to be FedRAMP authorized?
The Federal Risk and Authorization Management Program (FedRAMP) is not a certification program. FedRAMP is a U.S. government security risk program which provides: “…transparent standards and processes for security authorizations and allows agencies to leverage security authorizations on a government-wide scale.” Before a cloud service can be considered for an Authorization to Operate (ATO) by the FedRAMP Joint Authorization Board (JAB), the cloud service provider (CSP) must have the candidate service assessed under the FedRAMP program. A Third-Party Assessment Organization (3PAO) assesses the candidate service against the security and privacy controls defined in the latest revision of NIST Special Publication (SP) 800-53 and additional control enhancements required by FedRAMP and reports its findings to the JAB. The JAB subsequently decides if the cloud services will be awarded an ATO. To be clear, this process is a risk assessment, and no certificates are ever issued.
How FIPS-140 Relates to FedRAMP
When encryption is performed by a cryptographic module in a cloud service used by the U.S. government, the module must be FIPS-140 validated. As explained on the FedRAMP FAQ page, there are three NIST SP 800-53 controls that address encryption and one of them, IA-7, requires that “the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws […]” and references FIPS 140.
There are five steps in a FIPS validation. The first step is complete when a cryptographic module’s developer contracts with a FIPS lab to start the project. The lab sends a draft Security Policy to the CMVP and NIST puts the module on its Implementation Under Test (IUT) list. While the module is listed with the IUT status, the developer works with the lab to conduct algorithm and module testing, and detailed documentation and reports must be written. The CMVP allows up to 18 months for that work to complete.
When all testing and reporting is complete, the lab submits their test report and supporting evidence to the CMVP. The module’s status is updated to Review Pending (step two in the validation process). From that point it typically takes nine months to complete step five. External factors outside the developer’s control can lengthen the process further. Steps three, four and five include the CMVP review, comments resolution and the final validation which results in the FIPS certificate being issued.
For a CSP attempting to obtain a FedRAMP ATO, cryptographic modules used in the candidate cloud service are typically still in the process of being FIPS 140 validated by their developers when 3PAOs are reviewing FedRAMP submission and performing the assessment. During an assessment, the CSP shares the status of cryptographic modules their service uses via the Module in Process (MIPs) list to indicate that the FIPS 140 validation is in progress with the 3PAO.
One key difference between FedRAMP and FIPS 140 is the end result. With FIPS 140, a cryptographic module being validated must pass strict tests defined by the CMVP. Any failures must be remediated before the module receives a FIPS 140 validation certificate. However, with FedRAMP, since its result is ultimately an ATO, there is more flexibility. Any FIPS issues identified by the 3PAO are tagged as “findings.” For example, if a cryptographic module does not yet have a FIPS 140 validation certificate but is on the MIPs list, a judgement is required to decide whether this status should impact the awarding of an ATO. Assessors have the autonomy to make such judgements and to deliver risk-based recommendations to the JAB. An understanding of the CMVP process and current timelines, and of what CSPs must navigate to be awarded FIPS 140 validation certificates, is essential in making such judgements. An assessor might not always show flexibility for the cryptographic module if it is not fully FIPS 140 validated, but its presence on the MIPs list considerably reduces this possibility.
Conclusion
FedRAMP is the U.S. government’s approach to ensuring cloud services meet U.S. government security requirements. It is important to note the distinction between security and compliance. A FIPS 140 validation is performed against an exact version of a cryptographic module. Any use by a CSP of a different version, including a version that fixes vulnerabilities and thus strengthens the security, of the module, means the CSP is no longer technically using a FIPS validated cryptographic module. With the length of the CMVP process, it is nearly impossible to ensure all modules are both compliant and up-to-date.
Oracle prioritizes upgrading the security posture of its cloud solutions, while subsequently seeking to maintain compliance via the appropriate government security programs, including FIPS 140.
For more information on Oracle’s FedRAMP cloud solutions see: https://www.oracle.com/industries/government/federal/fedramp/
For more information on Oracle’s FIPS 140 validations see: https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/
For more on Oracle’s cloud compliance programs see: https://www.oracle.com/corporate/cloud-compliance/