Last week, Ordr announced the expansion of our NIST FIPS 140-2 validated product offerings. As one of the only next-generation IoT vendors to support this, this announcement is both a reflection of our commitment to our Federal and public sector customers, as well as a testament to the continued speed of innovation by our engineering team.
There is sometimes confusion about what this certification means, so we thought we would address frequently asked questions about FIPS 140-2 in this blog
What is FIPS 140-2?
For those not familiar with the FIPS 140-2 certification, it is a cooperative effort between NIST (the U.S. National Institute of Standards and Technology) and their Canadian counterpart CSE (Communications Security Establishment). NIST and CSE both team up to staff the CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program), which work with independent third party testing labs to certify algorithms used in products.
Why is FIPS certification important?
Encryption is an important part of a security strategy to secure data. However, encryption algorithms can vary widely. Organizations in the private sector can use any encryption algorithm they prefer. The U.S. federal government however established FIPS as a standard for vendors and products. FIPS is a set of standards for encryption with the goal to ensure a minimum strength level for the cryptography is used in all Sensitive But Unclassified (SBU) federal operating environments.
FIPS 140-2 (the 2nd generation standard) is an accreditation program that certifies that any hardware or software cryptographic module used in a product must meet well-defined security standards, and specifically must implement algorithms from an approved list.
Is FIPS certification important only to Federal agencies?
FIPS is mandatory for use in federal agencies. The Federal Information Security Management Act (FISMA) dictates that all government agencies use the FIPS 140-2 validated cryptography models. This requirement extends to U.S. government contractors and third-parties working for the federal government.
In addition, FIPS 140-2 is now popular outside of the federal government. The FIPS 140-3 certification has also been adopted as a standard by state and local governments, and regulated industries such as finance, healthcare, legal and utilities.
How did Ordr achieve our FIPS certification?
The Ordr validation was granted after an independent third-party lab testing of the software used on the Ordr platform. FIPS Certificate numbers 2888 for the Kernel Crypto module and 2962 for the OpenSSL modules were achieved with Ordr’s integration partner Ubuntu/.
Which Ordr products are FIPS 140-2 certified?
Ordr has FIPS certified our hardware platforms with the following hardware & software:
- Ubuntu 16.04 LTS 64-bit running on Supermicro SMX11SPL-F with PAA
- Ubuntu 16.04 LTS 64-bit running on Supermicro SMX11SPL-F without PAA (single-user mode)
- Ubuntu 16.04 LTS 64-bit running on Supermicro Supermicro A1SAi with PAA
- Ubuntu 16.04 LTS 64-bit running on Supermicro Supermicro A1SAi without PAA
- Ubuntu 16.04 LTS 64-bit running on Supermicro SYS-5018R-WR with PAA
- Ubuntu 16.04 LTS 64-bit running on Supermicro SYS-5018R-WR without PAA
Does Ordr need re-certification when there is a new software release?
FIPS 140-2 certification is not tied to any specific release. It is validation of the operating system and the hardware layer. Since our software uses the underlying Kernel and OpenSSL modules, no revalidation is needed based on the software level. In short, all Ordr customers will be able to operate with the most recent version of our product without any certification validation delay.