FIPS 140-2 Compliance

The Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules was issued by the National Institute of Standards and Technology (NIST) in May, 2001, and is the Federal standard for proper cryptography for computer systems purchased by the government and was issued.  The standard specifies the security requirements for cryptographic modules utilized within a security system that protects sensitive or valuable data.

Utilizing the FIPS 140-2 validated crypto module ensures that the crypto algorithms used are deemed appropriate and perform the encrypt/decrypt/hash functions in accordance to the NIST standard.The requirements can be found in the following documents:

• Security Requirements for Crytographic Modules
• Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules

ThreatQ FIPS 140-2 Compliance

ThreatQuotient complies with FIPS 140-2, which defines the technical requirements to be used by Federal Agencies when these organizations specify cryptographic-based security systems for protection of sensitive or valuable data.

The compliance of ThreatQ with FIPS 140-2 is ensured by: 

• Integrating validated and NIST-certified third party cryptographic module(s), and using the module(s) as the only provider(s) of cryptographic services; 
• Using FIPS-approved cryptographic functions; 
• Using FIPS-approved and NIST-validated technologies applicable for ThreatQ design, implementation and operation.

Modes of Operation

The ThreatQ platform operates in one of two modes, as determined by the OS configuration.

TLS

All the ThreatQ platform communications can be secured with FIPS-compliant Transport Layer Security TLS1.2 or higher, which relies on FIPS 140-2 approved hash algorithms and ciphers.

• TLS handshake, key negotiation and authentication provides data integrity and uses secure hash and FIPS 140-2 approved cryptography and digital signature.
• TLS encryption of data in transit provides confidentiality and makes use of FIPS 140-2 approved cryptography.

Enabling FIPS Mode

ThreatQ conforms with FIPS 140-2 Level 1 compliance by dynamically linking to the FIPS 140-2 approved OpenSSL cryptographic module provided by the Operating System, which is currently the Red Hat Enterprise Linux 7 OpenSSL Module.

The ThreatQ platform can be configured to operate in FIPS-Compliant Mode to ensure its functions and procedures that require cryptography (secure hash, encryption, digital signatures etc.), such as SSL/TLS connections, makes use of the crypto services provided by Red Hat Enterprise 7 OpenSSL Module v3.0, which is validated for FIPS 140-2.

The assurance that ThreatQ is using the right FIPS 140-2 encryption modules is managed at the operating system level by CentOS implementation.

ThreatQ checks the OS level flag setting /proc/sys/crypto/fips_enabled to kick off ThreatQ’s FIPS mode installation.

You can enable FIPS Mode in your ThreatQ environment manually or via script.  Links to both methods can be found below.