What is FIPS 140-2?

Eric Gregory - October 19, 2021 - , , , , ,

Cryptography is the beating heart of cybersecurity, lying behind everything from SSH to the Secrets in a Kubernetes cluster. The history of the Internet is littered with weak encryption algorithms – many of which remain in widespread use long after the discovery of critical vulnerabilities. Security moves quickly, and organizations often struggle to keep up.

In order to protect its data, the U.S. federal government defines minimum standards for cryptographic software modules handling that data, whether on the servers of government agencies or private contractors. The designation FIPS 140-2 refers to the Federal Information Processing Standards (FIPS) Publication 140-2, a document that defines cryptographic security requirements for software.

Today, FIPS 140-2 is widely recognized as an important security baseline not just for government agencies, but in private industry and around the world.

What is FIPS Compliance?

Though private businesses aren’t required to conform to FIPS 140-2 unless they handle U.S. federal data, public standards make a useful benchmark for private industry — truly, these are the minimum requirements an enterprise should meet to protect its data and customers. (The standards kindly specify that they are “available” to private and commercial organizations — in other words, have at it.)

On the user side, U.S. departments, agencies, and private contractors must procure and utilize software with FIPS-validated cryptographic modules. Often, this will mean running a piece of software in a FIPS-compliant mode that enforces the use of more rigorous security protocols.

On the other side of the equation, providers of software with cryptographic modules must receive validation by the Cryptographic Module Validation Program, a partnership between the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cybersecurity (CCCS).

Security Requirements in FIPS 140-2

There are four levels of FIPS compliance with ascending stringency across a range of security components. FIPS 140-2 specifies requirements for a many different aspects of the software system, including:

  • Approved Algorithms: The standard defines a set of approved cryptographic algorithms including specific implementations of types such as Secure Hash Standard (SHS), SHA-3 Standard, Symmetric Key Encryption and Decryption, Digital Signatures, and Message Authentication
  • Roles, Service, and Authentication: A cryptographic module must support a range of roles — including a crypto officer — along with key security services and robust authentication for operators
  • Operating Environment: The operating environment for the cryptographic module is subject to a number of requirements, including isolation of sensitive data from other processes, single operator status, and a means to protect the cryptographic module from modification

Mirantis and FIPS 140-2

For enterprises that seek to leverage FIPS-compliant container platforms — or achieve compliance across the entire solution stack — Mirantis provides several solutions:

  • Mirantis Kubernetes Engine (MKE) is our container orchestration platform for both Kubernetes and Swarm. With a FIPS-compliant container layer, enterprises can harden the foundation of their cloud native applications.
  • Running under the hood of our container platforms, Mirantis Container Runtime (MCR) manages the system components that actually run the containers — so enforcing FIPS compliance here truly integrates the standards from the ground up on the container layer. With restricted host access, end-to-end encryption, secure mutual TLS authentication, and cryptographic node identity, MCR is a container runtime tailored for security.
  • k0s is a lightweight, open-source Kubernetes distribution suitable for deploying large and small clusters alike, whether at the heart of an enterprise or at the edge. Control-plane isolation limits the attack surface, while worker nodes can run behind a firewall. Regardless of the use case, this distribution is FIPS-compliant out of the box, making it especially easy to bring compliance to edge and Internet-of-Things solutions.

Learn more about Mirantis government IT solutions.

From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
The Definitive Guide to Container Platforms
Manage your cloud-native container environment with Mirantis Container Cloud

Wednesday, January 5 at 10:00 am PST