By Nadia F. Elkaissi
Imagine you are a defense or government agency, presented with a new wireless robot that allows for doctors from across the nation to perform surgery on patients. The technology is said to be the “next surgical robot of the future.” You are just about to ask for a quote for the product when the salesman mentions that the product is still in the process of becoming FIPS compliant.
What is FIPS?
Many hear those words when evaluating products, but never realize the complexity behind the letters or acronyms. Some may be asking “What does FIPS compliant mean?” or “Do I really need it to be FIPS compliant?” The answer to the second question is “Yes!” FIPS (140-2) stands for Federal Information Processing Standard and was developed by the National Institute of Science and Technology (NIST) to be the benchmark safety and cryptography standard organizations must adhere to when protecting data. The FIPS standard is a requirement for all federal agencies that use cryptographic-based security systems to protect sensitive information in both computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act of 2002, Public Law 107-347 (FISMA). It was implemented for third-party organizations working with the government to comply with the standards to protect Sensitive but Unclassified information (SBU). In layman’s terms, the standard was built to validate that commercial cryptography algorithms are safeguarding sensitive information by encrypting and protecting the data.
Understanding FIPS
There are a few areas an evaluator needs to know when reviewing the product. The first is to understand what a cryptographic module is, since it will be a key component for products that are FIPS compliant or FIPS validated. Let’s take the first word, cryptography. Although cryptography is not just encryption, we will focus on its use of encryption via keys and algorithms to protect the integrity of networks, programs and data from attacks. A cryptographic module can be hardware, software, firmware or any combination of the three that implements some form of cryptographic function (encryption, hashing, message authentication or key management) that implements encryption via algorithms or other methods. To receive FIPS compliance, NIST and Communication Security Establishment Canada (CSEC) developed a Cryptographic Module Validation Program (CMVP) as defined by the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). The program will administer and evaluate the cryptography module to include the module’s level of security (1-lowest to 4-most stringent). When reviewing products, it is recommended to understand the data that will be involved with the product and review the level of encryption the system provides.
FIPS Certification
Next, let us review what the difference is between FIPS compliance and FIPS validation. FIPS compliant means some components of a product are validated, but the product has not been validated. FIPS validated means that a product has undergone and passed detailed conformance testing from a National Voluntary Laboratory Accreditation Program (NVLAP). Government agencies, especially for medical areas, commonly require 140-2 certification/validation. Due to the extensive documentation and validation that takes place for a module to become certified, a FIPS certification may take months. It is important when evaluating products, to ask if the entire product is FIPS validated or what aspects are FIPS compliant. Do not forget that FIPS compliant does not mean the entire product is compliant.
Now, let us circle back to the wireless surgical robot scenario. When evaluating the wireless surgical robot, you should be focusing on identifying possible threats and determining if this product has the capabilities to protect your data. For those familiar with the CIA Triad, you know that when implementing a cybersecurity framework, you need to focus on maintaining confidentiality, integrity and availability. Despite any firewalls or encryptions that are implemented, without a robust encryption from a FIPS validated system, the product has the possibility to allow other systems to read all traffic. Therefore, although the wireless surgical robot is a groundbreaking invention, it may be exposing your organization to more threatening cyberthreats. In this case, waiting for the system to become FIPS certified is the safer and more responsible approach. This decision will ensure that your network and data is always secure.
FIPS 140-3
So, what about FIPS 140-3? We have long awaited the time when FIPS 140-3 was going to be the standard for FIPS compliance. On September 21, 2021, CMVP stopped accepting FIPS 140-2 submissions for new validation certificates. Even though the FIPS 140-2 submissions are no longer accepted, the module validations continue to be valid for five more years. This means that during your product evaluation, you can still consider products with FIPS 140-2 certifications. One thing to note is that by 2026, the certificates will all be moved to the historical list. There are not as many changes between 140-2 and 140-3; but now 140-3 aligns more with ISO/IEC 19790:2012(E) and ISO/IEC 24759:2017(E). If an update or change is made to the FIPS ISO/IEC standards that NIST does not feel is adequate for the security needs of the federal government, NIST will have the flexibility to adopt a different standard or create a revised standard controlled by NIST, to maintain the most secure posture possible.
You can obtain a FIPS certificate by contacting the medical device manufacturer (MDM) directly as part of your evaluation/prepurchase process or search for it on the CSRC Cryptographic Module Validation Program website (crc.nist.gov) by certificate number, vendor or module name. Keeping a copy of the FIPS certificate, making note of it in your medical device inventory and including it as part of your governance risk and compliance (GRC) policy will ensure you are further reducing risk of sensitive information exposure and at the end of the day making your job easier to ensure that your medical devices are as secure as they can be.
– Nadia ElKaissi, CHTM, is the chief engineer at Charles George VA Medical Center.
