November 30, 2022

    What It Takes to be FIPS 140-2 Validated in File Sharing

    File Sharing and FIPS 140-2 Validation

    Security is a huge issue in the world today. Companies are constantly trying to stay ahead of cyber criminals that want to steal their information or take control of their networks. While many businesses have implemented systems in place to protect themselves, there is still a lot that needs to be done. If you're not sure what this means, you're about to find out as we dive deeper into File Sharing and FIPS 140-2 validation for cryptographic modules!

    The FIPS 140-2 Standard

    The FIPS 140-2 standard for encryption is a U.S. government computer security standard that was developed by the National Institute of Standards and Technology (NIST). FIPS PUB 140-2 provides details related to the Security Requirements for Cryptographic Modules and how the are approved for use, or validated. The standard was published in 2001 and became mandatory for federal agencies to adopt by 2005. It has since been updated several times, most recently in 2013.

    The purpose of FIPS 140-2 is to establish minimum requirements for federal agencies when selecting cryptographic modules for use with sensitive information (including personally identifying information). This includes procedures and processes that must be followed when selecting these modules, as well as technical parameters such as encryption key length and message authentication code generation rates that must be supported by these modules.

    What Does it Means to be "FIPS 140-2 Validated"

    There are four Security Levels in the FIPS 140-2 standard. Each level then has 11 different areas related to the design and implementation of a tool's cryptography. As you might suspect, these 11 areas are scored to reflect the strengths and weaknesses of the tool. The cryptographic module receives a rating that reflects the maximum security level for which the module fulfills all of the requirements of that area.

    • Level 1 – Simplest requirements. It requires at least one tested encryption algorithm. It only requires the algorithm work, and not that one has been authorized for use.
    • Level 2 – Requires everything in level 1, and additionally requires role-based authentication and tamper evident physical device(s).
    • Level 3 – The level most organizations comply with. Takes all of the requirements in level 1 and level 2 and adds tamper *resistant* devices, separation of logical and physical interfaces that have critical security parameters to enter or leave a system, and identity-based authentication.
    • Level 4 – The most secure. As you might have guessed, it combines all the requirements of levels 1, 2, and 3 with some additional items such as requiring the contents of a device be erased if certain attacks are detected. The operating system (OS) being used by the cryptographic module must be more secure, also. If there are multiple users, the standard gets even higher.

    Who needs FIPS 140-2 Encryption?

    To be clear, FIPS 140-2 is an assurance that you're using strong encryption. It's validation that the solution you're using meets requirements that protect the cryptography from being hacked or tampered with. In this way, it is not a standard. Instead, it is a "stamp of approval." FIPS 140-2 is only concerned with the encryption of data at rest and in transit so it would not be considered a standard. So, what types of organizations are required to use a FIPS 140-2 encryption module?

    • Government agencies
    • Financial institutions
    • Healthcare organizations
    • Telecommunication providers
    • Utilities
    • Military and manufacturing companies

    Additionally, companies that need to protect sensitive data must use encryption modules that are FIPS 140-2 validated in order to do business with organizations in the Financial, Healthcare, and government industries. Agencies and organizations that are not validated against FIPS 140-2 are more likely to have vulnerabilities that might put proprietary data at risk.

    What are the benefits and drawbacks of FIPS 140-2?

    The benefits of FIPS 140-2 are obvious: it can help you achieve a high level of data protection, help you win work with the government under FISMA regulations, avoid fines related to data protection by having stringent in-house requirements, and win the trust of your clientele with the knowledge you're taking their protection seriously. But what are the drawbacks?

    Well, in order to be FIPS 140-2 approved, you need to make sure your file-sharing program is supporting strong encryption, and also inquire with all your software providers that they are using FIPS 140-2 authorized encryption modules. Because many file-sharing programs don't do this out of the box, upgrading or customizing your program may be necessary which could lead to additional implementation or downtime while the upgrade is taking place. In addition, there's a cost associated with getting compliant and keeping your files secure—there's no way around that.

    The cost is worth it though—if you're serious about data security and protecting your organization's intellectual property.

    What are the FIPS 140-2 Validation Requirements?

    • FIPS 140-2 validation is required for government agencies, financial institutions, and healthcare organizations to protect sensitive data.
    • Companies that need to protect sensitive data must use FIPS 140-2 approved encryption modules in order to do business with these organizations.

    The need for FIPS 140-2 in file-sharing software

    FIPS 140-2 is a standard that defines the requirements for cryptographic modules. In other words, it's a set of guidelines for how you should build your file-sharing software if you want to be FIPS 140-2 compliant. If your company has any kind of government agency or financial industry (such as credit card processing) or healthcare involvement, then it very likely has some sort of requirement for FIPS 140-2 compliance.

    The standard applies to any type of file-sharing software used within these industries; however, there are two main types: client and server-side applications. The difference between these two types is that one is installed on the user's computer (client side), while the other runs on an external server (server side).


    So, what have you learned? First of all, FIPS 140-2 is a really important validation for encryption in file-sharing software. It's why we offer it standard (no additional cost) for encryption-in-transit on all our plans. Companies that need to comply with this standard as a requirement of their broader compliance need to use FIPS 140-2 validated encryption algorithms in their products. Second, compliance with this standard is an excellent thing: it means that you are using best practices when it comes to encrypting sensitive data. 

    Tag(s): NIST , Government

    Brendon Ainsworth

    Brendon, Sharetru's CRO & VP of Sales, brings diverse industry experience, excelling in GCP & AWS infrastructure certifications.

    Other posts you might be interested in

    View All Posts