Any non-military agency handling sensitive but unclassified (SBU) data for the federal government must be compliant with Federal Information Processing Standards Federal Information Processing Standards (FIPS) This means that government agencies, contractors, and any IT solution hoping to obtain a federal contract must be FIPS-accredited in order to be considered for immediate use.
However, the guidelines represent state-of-the-industry security research and can be voluntarily adopted by any agency looking to stay safe and ensure their current level of secure file transferis government-grade.
What are FIPS?
The FIPS are federal computing guidelines that exist to ensure all computing systems meet a verified standard of security, quality, and processing capability. Ultimately greenlighted by the Secretary of Commerce, FIPS were developed by the National Institute of Standards and Technology (NIST) for the federal government and are constructed in accordance with the Federal Information Security Management Act (FISMA). A presence since 2002, FISMA was created to protect federal data, and outlines a set of security guidelines to that end, including risk categorization, security controls, system inventory, certification, and continuous monitoring.
FIPS fill the void where there are no acceptable industry standards that would enable government organizations to meet a certain federal requirement, and present approved methodologies for accomplishing those requirements effectively and securely. Essentially, these are federally mandated guidelines for government-related agencies dealing with sensitive federal information and deliver NIST-developed best practices concerning how to best meet those requirements.
Who do FIPS apply to?
While FIPS compliance is only mandatory for non-military government agencies, organizations working with government or military, such as vendors or contractors, must comply as well. Specifically, these would be organizations dealing with SBU information. Non-related entities that want to take advantage of the NIST-developed frameworks can also adopt FIPS standards for their own use.
Since FIPS is nested under FISMA, all agencies under FISMA are included in the compliance mandate. This includes those responsible for federally sponsored programs like Medicare, Medicaid, unemployment insurance, and student loans, as well as private sector agencies with government contracts.
What do FIPS cover?
Different organizations operate under certain FIPS frameworks, which cover different areas such as:
- FIPS-140-2 | Cryptography modules.
- FIPS-201-2 | Personal Identity Verification (PIV) of Federal Employees and Contractors
- FIPS-186-4 | Digital Signature Standard
- FIPS-197 | Advanced Encryption Standards (AES)
- FIPS- 199 | Security Categorization of Federal Information and Information Systems
When it comes to Secure File Transfer (SFT), FIPS 140-2 deals with the encryption requirements necessary to make that happen. Entitled ‘Security Requirements for Cryptographic Modules,” it delineates which cryptographic strengths and algorithms meet the security standards for transferring files safely.
FIPS secures four layers deep, per the FIPS 140-2 specification:
Level 1 “allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system.” This enables users to run FIPS-level encryptions on regular hardware and represents the most basic layer of protection. On this level, no physical security mechanisms are required, other than what is needed to execute basic encryption functions (I.e., “at least one Approved algorithm or Approved security function shall be used”).
Level 2 mandates role-based authentication, physical seals that provide evidence of tampering, and OS-based security protocols.
Level 3 builds on Level 2, adding tamper-resistant physical protections to the mix.
Level 4 builds on Level 3, including resistance to environmental hazards.
Broadly speaking, in practice FIPS regulates encryption algorithms, key storage, the formatting of location and PII, and various data processing areas. This is essential to creating a uniform standard of protection among government entities and those dealing with confidential, federal information.
GoAnywhere MFT
While you could go it alone, the right secure file transfer solutions can make a huge difference when it comes to prepping for compliance. In fact, proving compliance generally involves demonstrating those secure file transfer methods and backing them up with audit logs. GoAnywhere MFT, a managed file transfer solution, makes it easy by tracking file movements and letting you pull logs conveniently as needed.
To stay compliant, an organization needs to be aware of what is happening with their files and account for who is viewing them, where they are being transferred, and whether they are safe once they get there (storage) and as they’re travelling (in transit). GoAnywhere MFT can provide visibility over the entire file transfer process, making these answers easy to give and helping to keep organizations above the compliance line. In most cases, this means encrypting file transfers on-premises and in the cloud, encrypting files, and ensuring the integrity of the data being sent.
GoAnywhere data security helps you meet federal security requirements by providing encryption technologies that enable SFT, monitoring over the file transfer process, detailed audit logs and reporting, granular user permissions, and multiple pathways for securely sending files.
To see how GoAnywhere helps organizations secure, automate, and centralize their file transfers, you can request a live demo today.
