Is cloud hosting allowed for FIPS 140-2?

Question

I am in the very early stages of making my application FIPS 140-2 compliant... so early in fact that I am not sure what level it has to be... just writing a preliminary recommendations document at this point. However, I am fairly certain that the level will end up being either 1 or 2; so if it's not too much trouble, please answer my question for both FIPS 140-2 level 1 and level 2.

In reading the FIPS documentation, my confusion for Level 1 stems from the fact that, in one place it says, that your merely need production grade equipment and is appropriate for situation where there is no physical security. However, in another place it says: "a conformal coating or a sealing coat applied over the module’s circuitry to protect against environmental or other physical damage"

I am no build expert, but I've never had any sort of coating over any of my personal PC's circuitry. So it seems to me that any cloud provider would need this coating to conform to even FIPS level 1. Furthermore, it just seems unlikely to me that a normal shared cloud platform could be deemed acceptable as someone may read your RAM.

So here are my questions:

1. Is it okay to host your FIPS level 1 compliant application in the cloud? How about level 2?
2. If #1 is yes, are there specific requirements/certifications needed by the cloud host?

3. If #1 is no, is it okay for the crypto-module to be off the cloud and other components be on it?

4. Just want to validate my assumption: it is okay to collocate at a normal facility for level 1, correct? If not, what are the requirements/certifications needed by the host? What about level 2?

Thank you for taking a look at my question; sorry, but I am not very experienced with the physical side of security, I just know the software and don't want to make any assumptions that will get me into trouble.

Answer 1

(Disclaimer: I am not a lawyer; don't try this at home.)

The U.S. government does have very specific guidelines for government agencies wanting to consume cloud services. Those cloud services must be FedRAMP certified. This is an arduous, lengthy, expensive process... and it's specifically geared toward cloud services, not managed or shared hosting.

Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements by 2014.

FedRAMP prescribes a bunch of security controls and configuration baselines here.

FIPS (140 and otherwise) and FedRAMP are not the same thing. FIPS 140 is much more specific, and details requirements for the use of cryptographic modules, which symmetric algorithms are allowed, which hashing algorithms are allowed, etc. Using another vendor's cryptographic modules in a FIPS-compliant manner is not the same as having a FIPS certified solution. FIPS certification (The Cryptographic Module Validation Program) is also a lengthy and very expensive process whereby you must submit your cryptographic module (be it a physical hardware security module, or a software module such as a DLL file) to the government for them to review it and approve it. A cryptographic module can not be FIPS certified, even if it generates identical data as a FIPS certified module, unless it has passed the CMVP. However, you can use and incorporate other vendor's modules (such as OpenSSL, bcrypt.dll from Microsoft, etc.,) in your solution and still call it a FIPS compliant solution, or that it is operating in a FIPS compliant mode.

FedRAMP is about certifying your entire cloud solution, which is much grander in scope than just one application. FedRAMP encompasses everything from the physical security in your datacenters, to your disaster recovery plan, to how well documented your solution is, to how you conduct regular vulnerability scanning, as well as inspecting every operating system, application and server in your environment.

If you look into the security controls set forth in the FedRAMP certification program, it does mention FIPS several times. Cryptography must be employed in a FIPS-compliant manner throughout a FedRAMP-certifiable solution.

1. Is it okay to host your FIPS level 1 compliant application in the cloud? How about level 2?

Yes it's OK. FIPS is always OK (and furthermore typically required) for U.S. government agencies. In my experience, FedRAMP is not very picky about FIPS Level 1 versus Level 2, etc., only that FIPS Level-something is being used wherever cryptography is used.

If your solution is all software, I think the best you are going to do is FIPS 140 Level 1, since the requirements for Level 2 and above call for physical tamper proofing, tamper evidence and other physical security measures (like that PCB coating you mentioned,) and a purely software solution can never meet those requirements. A module that is validated to level 2 or above would be something like a smart card or hardware security module that has physical attributes.

2. If #1 is yes, are there specific requirements/certifications needed by the cloud host?

FedRAMP, and possibly others such as FISMA depending on which government agencies are looking to buy service from you.

4. Just want to validate my assumption: it is okay to collocate at a normal facility for level 1, correct? If not, what are the requirements/certifications needed by the host? What about level 2?

There is no clause in any of the baselines that expressly forbids colocation and shared hosting, however, it's been my experience that you will need to show strong evidence of role-based access controls and sensitive accounts management, specifically when it comes to being able to disallow non-U.S. citizens from accessing the system, or even preventing U.S. citizens who are travelling abroad from accessing the system. This will probably implicitly disqualify most instances of colocation because I couldn't guarantee that the datacenter cage next to yours couldn't be rented out by Russian spies, etc.

Answer 2

Cloud hosting is simply shared hosting with virtual machines. There's nothing particularly unique or magical about it; you can simply substitute the concept of "shared hosting" for "cloud hosting" and work out the details there.

Typically doing your own examination of a hosting provider's setup isn't going to be an option, so you'll have to rely on their certification or assertion of compliance. If they offer none, then you have to assume that they are not compliant because you have no way of proving otherwise.

Amazon offers something called Isolated GovCloud for ITAR-compliant applications which they claim provides FIPS 140-2 compliant endpoints, though from my cursory look I didn't see what level they claim to provide. Whether or not you trust them on this point is going to have to be your call.

Even if the company asserts that the endpoints they provide are compliant, the fact that you don't physically control the endpoint does put compliance somewhat in doubt: If the environment ends up being non-compliant, who takes the blame? You or the hosting company? If your lawyers are happy with taking the company's claims at face value, then you're free to proceed. Otherwise, you'll have to host somewhere where you can verify compliance on your own.