CMMC & FedRAMP: FIPS Certified vs. Compliant vs. Validated

Posted by Ignyte Team

June 24, 2022

5 key takeaways:

  1. There is only one FIPS designation – Validated.
  2. Validation is what most auditors look for when it comes to FedRAMP and CMMC.
  3. FIPS Validation means a product has undergone and passed detailed conformance testing at an accredited national laboratory.
  4. Organizations that have to follow CMMC must use FIPS validated cryptographic modules.
  5. To be FedRAMP authorized you have to use FIPS validated cryptographic modules.

The Federal Information Processing Standard (FIPS) 140-3 (2019) is “applicable to all federal agencies that use cryptographic-based security systems… and  shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract.”  In other words, any organization that stores, processes, or transmits certain government information must do so in a way that conforms to the FIPS standard.  What does that mean for CMMC and FedRAMP?   CMMC is designed to create environments capable of safeguarding government information, organizations that have to follow CMMC must use FIPS validated cryptographic modules.   In much the same way, organizations that offer cloud services and products to the U.S. government must be FedRAMP authorized. To be FedRAMP authorized you have to use FIPS validated cryptographic modules.  You’ll notice that we didn’t use the words certified or compliant. That’s because there is only one FIPS designation. Validated.  Validation is what most auditors look for when it comes to FedRAMP and CMMC. Not certification or compliance.  But let’s take a closer look at the 3 words typically used when discussing FIPS and how these words are interpreted. 

FIPS Certified

FIPS certified means the same thing as validated so long as it is used within the context of a cryptographic module that has gone through the necessary validation process from a NIST approved lab. 

FIPS Compliant

This is the one that causes trouble.  In fact, many respondents in a recent survey conducted by MTSI about FIPS interpretations offered this explanation, “compliance means that different components of a product have received FIPS validation, but the product in its entirety has not passed testing or has not been tested at all.”  Unfortunately, the word “compliant” is only used once in the official FIPS document, and it’s in reference to the Implementation Schedule. That is, there is no official use or definition of the phrase FIPS compliant. The industry has adopted this phrase on its own without any factual basis for its use.

FIPS Validated

In the same survey, respondents said this about validation, “FIPS Validation means a product has undergone and passed detailed conformance testing at an accredited national laboratory.” This is the correct understanding of the FIPS 140-3 standard.  To further demonstrate this point, all you have to do is read through the official document. If you read carefully, you’ll notice that any language that speaks to a cryptographic module adhering to the requirements of FIPS 140-3 uses the word “validated”.  Not certified. Not compliant. 

Conclusion

Ignyte believes there is only 1 FIPS designation – FIPS Validated. This is the language the authors of the standard use. It is the language NIST uses when referencing FIPS requirements. And it’s the verbiage the Open-Source Control Assessment Language (OSCAL) uses.  Using any other terms is just muddying the waters, and Ignyte prides itself on transparent precision in all aspects of our work.  Does your system use FIPS validated cryptography? If you don’t know, contact us.

Mobile Devices and CMMC L2

Mobile Devices and CMMC L2

A study recently shared with Ignyte posed a question that has been and is currently on many minds.  How are organizations that...