A user asked about FIPS compliance with ControlUp, and the response was that ControlUp is likely closer to FIPS compliant but not certified. This is due to the way the registry key in Windows works, requiring only certified modules. ControlUp’s security can be seen on https://www.controlup.com/controlling-your-security/, with different components in the process of certifying for FIPS 140-2. IOP being a Linux appliance, and COP being a webservice, the explanation does not directly apply to them.
Read the entire ‘ControlUp’s FIPS Compliance Overview’ thread below:
Hello everyone, I recently got a FIPS workaround though a support ticket to enable FIPS at the OS level to meet DOD STIG compliance. I was wondering if COP, SOP, or IOP already have any type of FIPS compliance themselves because the bypass config file seems to be forcing FIPS to be disabled. Thank you for the help!
maybe you can help with this one?
So there are 3 "levels" if you will in terms of FIPS.
Works with FIPS enabled Windows operating systems. This can be applications that set the FIPS enforcement config item. Or just applications that use encryption libraries that don’t check the registry key. Whether they conform to the standards or not doesn’t matter because it isn’t enforced/checked.
Microsoft describes that like this:
> FIPS mode is merely advisory to applications. Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. For example, a Win32 application – or third party disk encryption software – written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled.
FIPS compliant but not certified. Many encryption algorithms match with FIPS requirements but haven’t explicitly been tested. These would be considered compliant but would fail the FIPS registry key check, because they haven’t been explicitly verified.
Via Microsoft
> Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved.
FIPS verified. These are encryption algorithms that have been explicitly certified by NIST. Certification takes time (and most likely money) and Microsoft seems to be unlikely to submit dot net based encryption algorithms (managed algorithms).
> Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved.
Having said all that. ControlUp uses an encryption algorithm that hasn’t been explicitly certified. I don’t know if the algorithm is compliant to the standard.
It for sure isn’t certified so it fails the registry key check though.
Does that mean that ControlUp security is lacking in some regard? No. Take a look at https://www.controlup.com/controlling-your-security/
You’ll note that amongst other certifications, under FIPS 140-2, we are in the process of certifying different components.
This is sort of where my knowledge ends. As far as I’m aware we use cryptography beyond openSSL and bouncy castle. But we may not be able to get certification for Microsoft owned cryptography (IE dot net cryptography providers)Long story short. ControlUp is likely closer to FIPS compliant but not certified. But due to the way the registry key in Windows works, you need to use only certified modules. You can read more about Microsofts view on the FIPS enforcement registry key here.
> A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithmThank you again @member for all of that information, but would this also apply to the OVA appliances (IOP, SOP)?
IOP being a linux appliance, I’m not sure how FIPS applies
COP while not an appliance. All of the above applies to the webservices
Continue reading and comment on the thread ‘ControlUp and FIPS Compliance: Progress Towards Certification and Security Efforts’. Not a member? Join Here!
Categories: All Archives