FAR, FIPS, and Federal Networks – The Cryptography Conundrum

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Karen Walsh of Allegro Solutions decrypts the cryptography conundrum our country is facing at the federal level.

While security-first compliance can enable organizations to achieve basic cyber hygiene, outdated laws and standards often reinforce the use of outdated technologies. For anyone watching the Cybersecurity Maturity Model Certification (CMMC) drama unfold over the last three years, the update to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 highlights the inconsistencies inherent in compliance objectives and security outcomes. As the federal government inches closer to a comprehensive standard across the Defense Industrial Base (DIB) and Federal Civilian Executive Branch (FCEB) supply chains, it must address the FIPS-validated cryptography conundrum.

Widget not in any sidebars

The Cryptography Conundrum

Following the Bureaucratic Breadcrumbs

The paper trails that government bureaucracies leave behind enable people to predict future activities, even if sometimes the journey to the prediction requires going back in time.

The Proposed Joint Rule

At the end of 2022, several agencies collaborated to propose a joint rule under the Federal Acquisition Regulation (FAR). The rule suggests standardizing security by applying the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) program across all Federal contracts.

Under the “action” section, the proposed rules lists an 01/00/2023 date for publishing the proposed rule and a 03.00.2023 date for the end of the required public comment period. However, the FAR update may likely be stalled, awaiting NIST SP 800-171 updates.

Public Comments: The NIST CUI Series

In July 2022, NIST issued a Pre-Draft Call for Comments on the Controlled Unclassified Information (CUI) series of publications. In November, it released the Analysis of Public Comments. Interestingly, the document contains a callout box noting that commenters provided feedback on 53 different security requirements, with the most comments around security requirement 3.13.11, “Employ FIPS-validated cryptography when used to protect the
confidentiality of CUI.”

Under the next steps, NIST explained that the initial public draft of SP 800-171 Revision 3 is planned for late spring 2023.

Federal Networks and FIPS-validated Encryption: A Legacy Answer to a Modern Digital Problem

The FIPS-140 validation requirement for encryption solutions conflicts with the current National Cybersecurity Strategy, which may impact how NIST responds to the comments. FIPS-validated cryptography means that the cryptographic modules conform to the Federal Information Processing Standards (FIPS) Publication 140, whose current version, FIPS PUB 140-3, was published in March 2019.

FIPS-validated cryptography means that the module conforms to the FIPS 140-2 or FIPS 140-3 validation, having undergone independent verification through the Cryptographic and Security Testing Laboratories (CSTL), which the Cryptographic Module Validation Program (CMVP) then reviews and validates. Once approved, the CMVP adds the validated modules to its database.

Problematically, the CMVP process can take time. In fact, the program stopped accepting FIPS 140-2 submissions on April 1, 2022, but the website notes that it is experiencing “a significant backlog in the validation process.” While FIPS 140-3 is the most recent publication, the security requirements are now four years old. In technology, four years is a long time.

When security practitioners express concerns that compliance is not security, the cryptography conundrum is a perfect example of their frustration. The FIPS 140 validation process is time-consuming. Further, as the current backlog in 140-3 validations indicates, many organizations using FIPS-validated cryptographic modules still use modules tested against the 2001 security requirements.

The CMMC Level 2 Assessment Guide explains in practice SC.L2-3.13.8 – Data in Transit:

For users who need to share CUI, you install a Secure FTP server to allow CUI to be transmitted in a compliant manner. You verify that the server uses a FIPS-validated encryption module by checking the NIST Cryptographic Module Validation Program website. You turn on the “FIPS Compliance” setting for the server during configuration because that is what is required for this product in order to use only FIPS-validated cryptography.

Those organizations using standards and frameworks like CMMC and NIST SP 800-171 must implement specific cryptographic modules to achieve compliance. While the encryption vendor continuously improves its product, these organizations must stay rooted in an older product to meet the audit requirement, often turning on a less secure, outdated cryptographic module.

The Cryptography Conundrum

In March 2023, the White House released the National Cybersecurity Strategy (the Strategy). As an aspiration document, it suggests several high-level objectives that may not be realistic in the real world. Cryptography provides a small window into the larger contradictions between compliance, supply chain security, and the Strategy.

Strategic Object 3.5 “Leverage Federal Procurement to Improve Accountability” states:

Contracting requirements for vendors that sell to the Federal Government has been an effective tool for improving cybersecurity. … When companies make contractual commitments to follow cybersecurity best practices to the Federal Government, they must live up to them.

Problematically, the current framework upon which the federal government appears to be building a standardized encryption requirement undermines this objective. Contractors are currently required to use FIPS-validated cryptography models, many of which are less secure than an encryption provider’s primary enterprise product.

When the compliance mandates undermine security, they create risks rather than mitigate them.

Re-Assessing Federal Supply Chain Security with a Look to the Future

The FIPS standards were developed to enable compliance with the Federal Information Security Management Act of 2002 (FISMA). By setting technical requirements and minimums, these standards should help organizations manage complex decisions, like choosing a robust encryption solution. Problematically, accelerated technology use and development over the last two decades far outpaces the speed of laws and governing agencies. Whether NIST 800-171 removes the FIPS-validated requirement or not, many other organizations find themselves forced to use less secure cryptographic modules. Ultimately, any organization or agency bound by these requirements is forced to lower its security standards.

As the federal government looks to future-proof its networks, it should identify and remove these inconsistencies so that organizations can build system architectures that take a security-first approach to compliance.

Widget not in any sidebars