What is FIPS?
FIPS, short for Federal Information Processing Standards, is a computer security standard which was made by the Computer Security Division of National Institute of Standards and Technology (NIST). Document processing, encryption methods, and other information technology processes are described in this set of standards for use by non-military federal government agencies, as well as government contractors and suppliers who work with these agencies.
As per the Federal Information Security Management Act of 2002 (FISMA), organizations must meet the data security and computer system standard established by FIPS. Despite the fact that FIPS were established for use by the federal government, many in the private sector organizations adopt it voluntarily.
What is FIPS 140-2 and why is it required?
Encryption is a critical security tool for protecting sensitive data, yet there is no clear standard approach for encrypting data. All these various encryption techniques use different algorithms to convert plain textual information into ciphertext, but they're not all equally strong and secure.
Cryptographic modules are designed, implemented, and operated according to the FIPS 140 standard. A cryptography module is a collection of hardware, software, and firmware that performs security operations including key generation and algorithm implementation. The technique for testing and validating the modules is also defined in the standard.
Software and firmware security, physical security, cryptographic module interfaces, attack mitigation; and roles, services, and authentication are all covered by the security standards. Departments and agencies of the federal government that run cryptographic modules or have contracts to have them operated for these agencies must ensure that the modules they employ satisfy these tests.
Who needs to comply with FIPS 140-2?
US federal and state government agencies are required to comply with the FIPS standards. Organizations that provide any IT related services like cloud services to US federal and state government agencies are also required to be FIPS compliant.
Many state and local government entities, as well as non-governmental businesses, such as healthcare, financial services and manufacturing, utilize this standard extensively, or wherever federal data security regulations apply. FIPS 140-2 compliance may be required by regulations in these industries. Many private organizations choose to comply with FIPS 140-2 as it allows them to work with US federal and state government agencies while also greatly reducing security risks.
How does miniOrange comply with FIPS 140-2?
miniOrange complies with all the security requirements set by FIPS 140-2 like the Cryptographic Module Specification, Roles, Services and Authentication, Operational Environment, Cryptographic Key Management among others. The cryptographic modules used by miniOrange are designed and implemented according to FIPS 140-2 standards. This minimizes security risks and helps in the safe protection of all our clients' sensitive information.
Note that miniOrange technically complies with all the requirements set by FIPS 140-2 and these are not audited by any third-party vendor.
