March 2023
FIPS 140 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware. NetApp offers cryptographic modules that have achieved FIPS 140 validation.
March 2023
FIPS 140 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware. NetApp offers cryptographic modules that have achieved FIPS 140 validation.
The Federal Information Processing Standard 140 (FIPS 140) is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware that protect sensitive information. Compliance with the standard is mandated for use by U.S. government agencies, and it is also often used in such regulated industries as financial services and healthcare.
A cryptographic module is a piece of hardware, software, or a component of either that performs encryption operations. Cryptographic modules include cryptographic algorithms. Under the FIPS 140 standard, both the algorithm and the module are evaluated for compliance, using programs that are jointly developed by the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS).
The Cryptographic Module Validation Program (CMVP) is the accreditation program for cryptographic module security. The Cryptographic Algorithm Validation Program (CAVP) provides guidelines for validating the effectiveness of FIPS-approved and NIST-recommended cryptographic algorithms. A NIST-accredited third-party lab tests these algorithms and their components and validates their implementation and strength through this program.
FIPS 140 security requirements encompass 11 areas—for example, cryptographic module specification and cryptographic key management—related to the design, strength, and operation of a cryptographic module. Each area includes a description of the methods that the NIST lab uses to evaluate the module.
In each of the 11 areas, there are four security levels. Level 1 is the least restrictive, specifying the lowest level of security, and Level 4 specifies the highest level. Each level builds on the previous one, requiring more evidence and engineering of the product to demonstrate compliance.
Accredited third-party labs perform validation tests of the cryptographic modules against FIPS 140 requirements, issuing a validation certificate that includes the module’s overall rating.
NetApp takes a variety of approaches to FIPS 140 compliance. This is because NetApp offers a variety of hardware, software, and services, which can include various components of the cryptographic modules validated under the standard.
NetApp purchases self-encrypting drives (SEDs) that have been FIPS 140 validated by the original equipment manufacturer (OEM). These drives are known as NetApp Storage Encryption (NSE) drives. Customers seeking these drives must specify them when ordering. Drives are validated at Level 2, but the rest of the system is not validated. The following NetApp products can leverage validated SEDs:
Several NetApp products can be paired with an external key manager with a Hardware Security Module (HSM) that has achieved Level 3 validation. This does not make the entire solution Level 3, but offers the assurance that the keys are stored at this level.
For more information, including the certificate and its related security policy, click the certification number.
Contact NetApp Support or your NetApp account manager for more information on which ONTAP and Element software versions are available with FIPS 140-2 validated modules.
FIPS 140 validation of a cryptographic module means that it has completed the CMVP validation process and been certified. Products and services that implement those validated cryptographic modules for encryption or cryptographic functions in compliance with the security policy can be said to be in “compliance” with the standard.
No. Level 2 drives come at a premium, so NetApp offers alternatives for customers who decide that the validation is not critical for them.
Although the FIPS 140 validation programs apply only to the cryptographic modules used by NetApp products and services, other certification programs exist that rely on or reference FIPS 140 protocols for encryption. For example, the Common Criteria evaluates security functionality, including encryption, and often relies on the FIPS 140 validation in issuing Common Criteria certification.
Because of the variety of products offered by NetApp, we recommend that you verify with your account manager that the specific product you are ordering includes FIPS 140 validated cryptographic modules, if you require such validation for your particular usage.
To edit this Page SEO component