DATA-04

Do all cryptographic modules in use in your solution conform to the Federal Information Processing Standards (FIPS PUB 140-2 or 140-3)?

Explanation

This question is asking whether all cryptographic modules (software or hardware components that implement cryptographic functions like encryption, decryption, digital signatures, etc.) used in your solution comply with Federal Information Processing Standards (FIPS) Publication 140-2 or 140-3. FIPS 140-2/140-3 are U.S. government security standards that specify requirements for cryptographic modules. These standards ensure that cryptographic tools meet minimum security requirements and have been properly tested and validated. FIPS 140-2 was the standard until 2019 when FIPS 140-3 was introduced as its replacement, though many validated modules still reference 140-2. Why this is asked in security assessments: 1. Regulatory compliance: Many regulated industries (healthcare, finance, government) require FIPS-validated cryptography 2. Security assurance: FIPS validation provides independent verification that cryptographic implementations are secure 3. Risk management: Using validated cryptography reduces the risk of weak encryption implementations To best answer this question: - Inventory all cryptographic modules in your solution (encryption libraries, HSMs, secure elements, etc.) - Verify if they have FIPS 140-2 or 140-3 validation certificates - If using third-party services, check if they use FIPS-validated cryptography - Be honest about any non-FIPS compliant components, explaining compensating controls if applicable - Include validation certificate numbers when possible for verification

Example Responses

Example Response 1

Yes, all cryptographic modules used in our solution are FIPS 140-2 or 140-3 compliant Our application uses the following validated modules: 1) Microsoft Windows 10 Cryptographic Primitives Library (Certificate #3197) for disk encryption and secure communications, 2) OpenSSL FIPS Object Module 2.0 (Certificate #1747) for our web services encryption needs, and 3) Thales Luna Network HSM 7 (Certificate #3205) for key management We maintain documentation of all cryptographic modules in use and verify FIPS compliance annually as part of our security review process.

Example Response 2

Yes, our solution uses FIPS 140-2/140-3 validated cryptographic modules throughout our infrastructure For our cloud-hosted components, we leverage AWS's FIPS-validated endpoints and services (AWS KMS is validated under FIPS 140-2, Certificate #2839) Our application code exclusively uses the BouncyCastle FIPS Java library (Certificate #3514) for all cryptographic operations Our mobile applications use the Apple iOS CoreCrypto Kernel Module (Certificate #3856) and Android Keystore with FIPS-validated implementations We maintain an inventory of all cryptographic modules and their respective FIPS validation status in our security documentation.

Example Response 3

No, not all cryptographic modules in our solution currently conform to FIPS 140-2 or 140-3 While our primary encryption for data at rest uses Microsoft BitLocker (FIPS 140-2 validated, Certificate #3084), our web application currently uses a non-FIPS validated implementation of TLS through Node.js's built-in crypto library We are aware of this gap and have scheduled a remediation project to replace this with a FIPS-validated alternative (likely Node.js FIPS module) within the next quarter In the meantime, we have implemented additional security controls including network segmentation, enhanced monitoring, and regular penetration testing to mitigate potential risks associated with the non-FIPS validated cryptography.

Context

Tab: Product
Category: Data