Common Vulnerabilities and Exposures Explained

Everything you need to know about Common Vulnerabilities and Exposures (CVEs) and their impact on cybersecurity:

  • Introduction to Common Vulnerabilities and Exposures
  • How to stay informed of the latest threats
  • Strategies for identifying and mitigating CVEs in your infrastructure

Download Your Free Copy Now

Download your free guide for insights and actionable recommendations for securing your infrastructure against common cybersecurity threats.

Download Your Free Copy

Industry Leading Innovation

Co-author of NIST Zero Trust security standards

Industry’s first enterprise-grade open source service mesh deployed as an EKS add-on

10 Hottest Cloud Computing Startups

Recognized as a Cool Vendor in Cloud Computing

Trusted by Innovators Everywhere

Start Your FedRAMP Journey

What Is FIPS 140-2 and What Does FIPS Validated Mean?

Most large organizations have compliance obligations around FIPS. These include customers in the U.S. Government, but many businesses consider FIPS a best practice that helps them meet other regulatory requirements and industry best practices.

Federal Information Processing Standards (FIPS) 140-2 is a U.S. government standard defined by the National Institute of Standards and Technology (NIST). It specifies the security requirements that must be satisfied by a cryptographic module. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to rigorous testing by independent Cryptographic and Security Testing Laboratories, accredited by NIST.

FIPS Certification Levels

There are two levels of FIPS adherence; FIPS compliant and FIPS certified/validated:

  • FIPS compliant is a self-certification. Meaning the vendor indicates they are adhering to the standards.
  • FIPS certified/validated means the product has been tested at a national lab and audited to confirm it adheres to FIPS standards.

When you use FIPS 140-2 verified (not just compliant) software, you know the specific machine image you are running has been tested, meeting the highest standards required. Additionally, FIPS standards promote interoperability, ensuring that different systems and components can work together seamlessly.

Which Organizations Require FIPS 140-2 Compliance?

FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers. FIPS 140-2 has become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. This standard is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance.

Anyone deploying systems into a U.S. federal SBU environment—and this includes cloud services—are required to comply with FIPS 140-2 certification. In other words, the encryption associated with the computer systems, solutions and services used by federal government agencies must meet the minimum standards specified in FIPS PUB 140-2. This has a huge impact on the IT procurement process, as the only solution vendors that can be considered (without obtaining a variance) are those that have had their products validated as being FIPS 140-2 compliant.

Where Does FIPS 140 Fit into the FedRAMP Process?

An important key to understanding the FedRAMP process are the controls required to meet and or exceed the certification process. One specific control pertaining to the protection of sensitive data and the use of cryptographic modules is SC-13.

SC-13 under the “System and Communication Protection” category includes guidance on the use of cryptography. Under this guidance, any use of cryptographic modules requires the organization to meet federal standards and policies. The use of FIPS validated cryptographic modules demonstrates the modules have been properly implemented according to NIST standards and are trustworthy to protect sensitive information. 

FIPS validation helps accelerate your FedRAMP approval process including related controls. SC-13 is applicable to all FedRAMP impact levels. Not to mention, it is related to 28 additional controls, all of which are linked to the use of cryptographic modules.

Why Does FedRAMP Use NIST SP 800-53?

Today, NIST SP 800-53 is the de facto standard for IT control baselines in the federal government. One of the key benefits of FIPS 140 is that it can aid in the process of achieving FedRAMP approval. Any third-party software like Kubernetes, Istio and others do not simply inherit the service provider’s FIPS certification. Each software or hardware vendor is responsible for certifying their solution to ensure compliance with the NIST standard.

Why Choose Tetrate for FIPS?

Upstream Istio doesn’t provide FIPS-compliant builds suitable for use in regulatory environments. Encryption isn’t enough and if you use purely open source you inherit the burden of developing and maintaining missing security features. Tetrate solves these challenges for you by offering TID Istio and Envoy binaries that are compiled against FIPS validated cryptographic modules and verified by an accredited testing lab to be FedRAMP compliant. TIS subscribers get access to Tetrate’s FIPS verified Istio builds and the corresponding certification of compliance.