FIPS 140-2 and FedRAMP: A 3PAO Perspective

Many organizations understand encryption is the key to keeping sensitive information secure, but there are several options like modules and algorithms to choose from – many without an established standard. Cloud solution providers looking to obtain FedRAMP authorization must comply with the FIPS 140-2 standard, use validated encryption modules and understand FIPS 140-2 requirements.

Recently, A-LIGN was invited to join stackArmor for a webinar on FIPS 140-2 and the Cryptographic Module Validation Program (CMVP), sharing how FIPS 140-2 relates to FedRAMP from the perspective of a third-party assessment organization (3PAO). Below are the key takeaways from the conversation regarding FIPS 140-2 and FedRAMP authorizations for cloud solution providers.

Understanding FIPS 140-2

Federal Information Processing Standards (FIPS) were created in 2001, and the publication FIPS 140-2 was written to establish a standard to guide organizations on appropriate uses of cryptographic modules. This specific standard breaks down the validation of these modules in four levels:

  • Level One: The lowest level of security, such as the operating system encryption on a PC.
  • Level Two: Requires evidence to show protection from unauthorized access.
  • Level Three: Prevents access to cryptographic security parameters through coatings or seals on chips and other mechanisms that are part of a device’s enclosure.
  • Level Four: The cryptographic module is secured so that, if unauthorized access is detected, the module takes automated action like deleting plain text security parameters.

FIPS 140-2 benchmarks the required hardware, software and cloud-based solutions when using encryption to achieve compliance. The important takeaway from a federal perspective is that each of these requires FIPS 140-2 encryption to be implemented for all cryptographic functions and Level Two tends to be the more common implementation level.

Cryptographic Modules

Cryptographic modules are how organizations utilize a validated encryption algorithm, and how the module is used – such as the hardware or software encryption – needs to be validated. Vendors may also embed encryption into their solutions, and it’s up to the organization to verify the chosen solution has not been modified, the NIST certification matches the solution and the certification is current.

  • Contact the vendor to determine how the solution uses the embedded validated cryptographic module if the cryptographic module is part of a larger solution.
  • Ask the vendor to provide a signed letter stating the module is unmodified, provides all cryptographic services in the solution and references the validation certificate number.
  • Verify the module is listed within the certificate number. For example, the module would not be considered validated if the software version is not in the certificate listing.

FedRAMP Authorization

How does encryption impact federal requirements? It’s up to the organization to determine if encryption is necessary and, if so, the encryption is using a FIPS 140-2 validated module. FedRAMP requires data at rest to be encrypted and prefers that encryption is used for data in transit as well.

If your organization is seeking a FedRAMP authorization, your approval may rely on using FIPS 140-2 validated modules. It’s about attention to detail when it comes to cloud solution providers achieving compliance, such as ensuring your solution is using FIPS 140-2 validated cryptographic modules with current validations rather than FIPS 140-2 compliant modules.


Have questions about receiving a FedRAMP authorization? Speak with an A-LIGN representative by emailing [email protected] or calling 888-702-5446 to secure your summit.