Cryptography is the beating heart of cybersecurity, lying behind everything from SSH to the Secrets in a Kubernetes cluster. The history of the Internet is littered with weak encryption algorithms – many of which remain in widespread use long after the discovery of critical vulnerabilities. Security moves quickly, and organizations often struggle to keep up.
In order to protect its data, the U.S. federal government defines minimum standards for cryptographic software modules handling that data, whether on the servers of government agencies or private contractors. The designation FIPS 140-2 refers to the Federal Information Processing Standards (FIPS) Publication 140-2, a document that defines cryptographic security requirements for software.
Today, FIPS 140-2 is widely recognized as an important security baseline not just for government agencies, but in private industry and around the world.
What is FIPS Compliance?
Though private businesses aren’t required to conform to FIPS 140-2 unless they handle U.S. federal data, public standards make a useful benchmark for private industry — truly, these are the minimum requirements an enterprise should meet to protect its data and customers. (The standards kindly specify that they are “available” to private and commercial organizations — in other words, have at it.)
On the user side, U.S. departments, agencies, and private contractors must procure and utilize software with FIPS-validated cryptographic modules. Often, this will mean running a piece of software in a FIPS-compliant mode that enforces the use of more rigorous security protocols.
On the other side of the equation, providers of software with cryptographic modules must receive validation by the Cryptographic Module Validation Program, a partnership between the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cybersecurity (CCCS).
Security Requirements in FIPS 140-2
There are four levels of FIPS compliance with ascending stringency across a range of security components. FIPS 140-2 specifies requirements for a many different aspects of the software system, including:
- Approved Algorithms: The standard defines a set of approved cryptographic algorithms including specific implementations of types such as Secure Hash Standard (SHS), SHA-3 Standard, Symmetric Key Encryption and Decryption, Digital Signatures, and Message Authentication
- Roles, Service, and Authentication: A cryptographic module must support a range of roles — including a crypto officer — along with key security services and robust authentication for operators
- Operating Environment: The operating environment for the cryptographic module is subject to a number of requirements, including isolation of sensitive data from other processes, single operator status, and a means to protect the cryptographic module from modification
Mirantis and FIPS 140-2
For enterprises that seek to leverage FIPS-compliant container platforms — or achieve compliance across the entire solution stack — Mirantis provides several solutions:
- Mirantis Kubernetes Engine (MKE) is our container orchestration platform for both Kubernetes and Swarm. With a FIPS-compliant container layer, enterprises can harden the foundation of their cloud native applications.
- Running under the hood of our container platforms, Mirantis Container Runtime (MCR) manages the system components that actually run the containers — so enforcing FIPS compliance here truly integrates the standards from the ground up on the container layer. With restricted host access, end-to-end encryption, secure mutual TLS authentication, and cryptographic node identity, MCR is a container runtime tailored for security.
- k0s is a lightweight, open-source Kubernetes distribution suitable for deploying large and small clusters alike, whether at the heart of an enterprise or at the edge. Control-plane isolation limits the attack surface, while worker nodes can run behind a firewall. Regardless of the use case, this distribution is FIPS-compliant out of the box, making it especially easy to bring compliance to edge and Internet-of-Things solutions.
Learn more about Mirantis government IT solutions.