The Dilemmas of FIPS 140-3 Compliance

FIPS 140-3 is a standard issued by the National Institute of Standards and Technology (NIST) that aims to provide a consistent and secure method for processing sensitive information using a rigorous certification process. Compliance with this standard is mandatory for specific organizations in the US and Canada, but many organizations still choose to adopt it as a best practice even if it’s not specifically required for them. 

However, complying with FIPS 140-3 can be complex and time consuming. The certification process to get an operating system validated is rigorous and takes quite a long time. 

When an organization updates its FIPS-validated operating system to address a vulnerability, that system falls outside of FIPS 140-3 compliance and needs to be re-certified. This conundrum can lead organizations to delay patches, forcing them to decide between staying either compliant or secure from the latest vulnerabilities in their systems. 

But do organizations need to choose between compliance and security? We believe this is no longer the case. This blog post will delve deeper into these issues and explore alternatives available to organizations, such as AlmaCare, a support service designed specifically for AlmaLinux that provides both continuous security and compliance.

What is FIPS 140-3?

FIPS 140-3 specifies the security requirements for cryptographic modules used in hardware and software. A cryptographic module in the context of an operating system like AlmaLinux is a package containing the implementation of one or more cryptographic algorithms and security measures used to protect sensitive information. A cryptographic module that has been certified to meet the requirements of FIPS 140-3 is considered a secure and reliable solution for protecting such information.

To put it simply, when a software or hardware product has a FIPS 140-3 certificate, it has met a high benchmark for cryptographic effectiveness and can be trusted.

A Must-Have or Nice to Have?

Compliance with the standard is mandatory for Canada’s and the United States’ federal government agencies, government contractors, and companies that provide services to the US federal government. For other organizations, compliance with FIPS 140-3 is a best practice, as it can help them protect sensitive data and assets as well as increase the trust of their customers and other stakeholders in the security of their products and services.

Outsourcing vs. DIY

Organizations requiring FIPS-certified deployments or those operating under compliance regimes with similar requirements (e.g., PCI DSS, HIPAA) can choose whether to certify their applications themselves or build them using already-certified components. The former implies significant investments, cryptographic expertise, and time, since it involves validation by a third-party NIST-accredited laboratory. The more complex the application is, the more effort will be required.

Compliance or Security

Operating systems that include cryptographic modules and handle sensitive information must comply with FIPS 140-3 just like all other components. For an operating system to comply with this standard, the cryptographic components of the operating system must be certified as an integral part of the cryptographic module. This means that any updates to the validated cryptography require the OS to be re-certified each time after these updates are installed. 

Considering the time and effort required for re-certification, organizations are often forced to stick with their current OS version, essentially choosing to remain FIPS compliant over quickly protecting themselves against the latest vulnerabilities. At the same time, this delay in implementing critical security updates leaves organizations vulnerable to cyberattacks, which is a significant security concern.

Some organizations and agencies address this challenge by carefully evaluating their risk management strategies and weighing the potential risks and costs associated with remaining compliant with the FIPS standard. They may consider implementing alternative security measures, such as network segmentation, to mitigate the impact of vulnerabilities in the operating system. But there is a better way.

No More Trade-Offs

If you are looking for an enterprise-grade Linux distribution to meet the standards of the US and Canadian governments or operate in highly regulated environments, you need to think of a comprehensive solution that provides you with both continuous security and compliance at the same time.  

If there is a distribution with regular FIPS re-certification and security updates that don’t break FIPS compliance, it would be a perfect fit. AlmaCare, a support service designed specifically for AlmaLinux, does exactly that. It not only provides you with regular re-certification of newer OS versions, but also gives you security patches that don’t touch the cryptographic boundary – a tiny portion of the operating system – so the patches do not impact compliance.

AlmaCare Compliance Extension 

AlmaCare users can achieve regular FIPS re-certification and security updates that don’t impact FIPS compliance by adding the Compliance Extension, which delivers FIPS-validated components, including the kernel and OpenSSL for AlmaLinux. 

If you are familiar with the AlmaLinux lifecycle, a new minor release comes every six months, bringing new features until the fifth year. However, a FIPS-certified version must be stable and introduce as few updates as possible to retain its certification. For that reason, AlmaCare certifies specific minor releases that are supported for a longer period of time. 

The OS versions currently planned for FIPS certification are 9.2, 9.6, and 9.10 (see Figure 1 below and the disclaimer at the end of this blog post). With the Compliance Extension, you can stay on the validated minor version and keep securely running on the validated code for 3 years without worrying that updates will break your certification.

The extension delivers a combination of high and critical security updates in the form of package updates and live patches that are tailored to ensure that you run with validated cryptography. They are never bundled with feature updates and deliver fixes for non-cryptographic vulnerabilities to bring stability while still allowing customers to receive the vast majority of security updates. Moreover, live patches can be applied while your certified AlmaLinux systems are running, eliminating the need for patch-related reboots or maintenance windows.

At the same time, if there is a cryptographic vulnerability, we fix it by delivering a new packaged kernel. Customers can reboot and install this kernel to update their systems. It is our intention to get every new kernel that modifies cryptography through the re-certification process designed for CVE fixes, which is much faster. This ensures that new kernels that contain a vulnerability fix on their cryptography will be attested to comply with the FIPS 140-3 requirements.

To find out more about all the benefits of AlmaCare, check out our product page.

Disclaimer: The FIPS certification lifecycle for AlmaLinux is subject to change. TuxCare reserves the right to change the operating system versions to be certified at any time without prior notice.   

Summary

Article Name

The Dilemmas of FIPS 140-3 Compliance

Description

Do organizations need to choose between compliance and security? Lets delve deeper into AlmaCare, a support service designed to provides both.

Author

Artem Karasev

Publisher Name

TuxCare

Publisher Logo