October 2024
FIPS 140 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware. NetApp offers cryptographic modules that have achieved FIPS 140 validation.
Federal Information Processing Standard (FIPS) Publication 140
About FIPS 140
The Federal Information Processing Standard 140 (FIPS 140) is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware that protect sensitive information. Compliance with the standard is mandated for use by U.S. government agencies, and it is also often used in such regulated industries as financial services and healthcare.
A cryptographic module is a piece of hardware, software, or a component of either that performs encryption operations. Cryptographic modules include cryptographic algorithms. Under the FIPS 140 standard, both the algorithm and the module are evaluated for compliance, using programs that are jointly developed by the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS).
The Cryptographic Module Validation Program (CMVP) is the accreditation program for cryptographic module security. The Cryptographic Algorithm Validation Program (CAVP) provides guidelines for validating the effectiveness of FIPS-approved and NIST-recommended cryptographic algorithms. A NIST-accredited third-party lab tests these algorithms and their components and validates their implementation and strength through this program.
FIPS 140 security requirements encompass 11 areas—for example, cryptographic module specification and cryptographic key management—related to the design, strength, and operation of a cryptographic module. Each area includes a description of the methods that the NIST lab uses to evaluate the module.
In each of the 11 areas, there are four security levels. Level 1 is the least restrictive, specifying the lowest level of security, and Level 4 specifies the highest level. Each level builds on the previous one, requiring more evidence and engineering of the product to demonstrate compliance.
- Level 1 validation requires the cryptographic module to contain FIPS-approved algorithms. Typically, software attains Level 1 validation because the remaining levels specify physical requirements, which cannot be addressed through software.
- Level 2 validation adds physical requirements, such as tamper evidence and opacity. If someone tries to tamper with the device, there should be evidence of it—typically, breakaway screws or adhesive that cannot easily be removed. Opacity requires that a human cannot directly observe what the module that is performing the cryptographic operations is doing. Typically, vendors encase the cryptographic module to meet the opacity requirement.
- Level 3 validation adds requirements for physical tamper resistance to prevent intruders from accessing the cryptographic module. Mechanisms may include strong enclosures and circuitry that detects when the module doors have been opened.
- Level 4 validation requires a complete security envelope that detects and immediately responds to all unauthorized physical access.
Accredited third-party labs perform validation tests of the cryptographic modules against FIPS 140 requirements, issuing a validation certificate that includes the module’s overall rating.
NetApp and FIPS 140
NetApp takes a variety of approaches to FIPS 140 compliance. This is because NetApp offers a variety of hardware, software, and services, which can include various components of the cryptographic modules validated under the standard.
- For covered software, NetApp includes cryptographic modules that have achieved Level 1 validation for data-in-transit and data-at-rest encryption.
- For covered hardware, NetApp acquires both hardware and software modules that have been FIPS 140 validated by the suppliers of those components. For example, the NetApp Storage Encryption solution leverages FIPS Level 2 validated drives.
- Sometimes, features of a NetApp product can use a validated module in a way that complies with the standard even though the product or feature is not within the boundary of the validation. For example, NetApp Volume Encryption is FIPS 140 compliant. Although not separately validated, it leverages the NetApp CryptoMod, which is Level 1 validated in certain versions of ONTAP in a FIPS-compliant manner. The security policy that is created as part of the validation specifies how to use the module so that it complies with the FIPS standard.
NetApp in-scope products and services
FIPS 140 validations by NetApp
NetApp products may include the following FIPS-validated software modules: NetApp Cryptographic Security Module (NCSM) and CryptoMod.
- NCSM, used for SSH, TLS, and other services, is used in ONTAP and StorageGRID.
- CryptoMod, used in ONTAP, is a kernel-level cryptographic module used by ONTAP’s Onboard Key Manager (OKM), NetApp Volume Encryption (NVE), NetApp Aggregate Encryption (NAE), and NetApp Storage Encryption (NSE) services.
For more information, including the certificate and its related security policy, click the certification number.
- NetApp CryptoMod 3.0 Cert #4731 (FIPS 140-3 Level 1)
- NetApp CryptoMod 2.2 Cert #4144 (FIPS 140-2 Level 1)
- NetApp Cryptographic Security Module (NCSM) 2.0 Cert #4838 (FIPS 140-2 Level 1)
- NetApp Cryptographic Security Module (NCSM) 2.0 Cert #4297 (FIPS 140-2 Level 1)
FIPS 140 validations by self-encrypting drive manufacturers
NetApp purchases self-encrypting drives that are FIPS 140 validated by the original equipment manufacturer (OEM) or that contain OEM-validated FIPS 140 sub-chips. These drives are known as NetApp Storage Encryption (NSE) drives. Customers seeking these drives must specify them when ordering. The following NetApp products can use these drives:
- AFF A-Series, AFF C-Series, ASA A-Series, ASA AFF, ASA C-Series, and FAS storage systems
- E-Series and EF-Series storage systems
- StorageGRID Object Storage (when using E-Series and EF-Series systems)
For more information, including the certificate and its related security policy, click the certification number on the Disk Drive & Firmware Matrix or E-Series Disk Firmware page. (Login required.)
FIPS 140 validations by hardware security module manufacturers
Several NetApp products can be paired with an external key manager with a Hardware Security Module (HSM) that has achieved Level 3 validation. This does not make the entire solution Level 3, but offers the assurance that the keys are stored at this level.
Contact NetApp Support or your NetApp account manager for more information on which ONTAP and Element software versions are available with FIPS 140 validated modules.
Frequently asked questions
What’s the difference between FIPS 140 validation and FIPS 140 compliance?
FIPS 140 validation of a cryptographic module means that it has completed the CMVP validation process and been certified. Products and services that implement those validated cryptographic modules for encryption or cryptographic functions in compliance with the security policy can be said to be in “compliance” with the standard.
Are all encrypting drives that NetApp sells FIPS 140 validated?
No. Level 2 drives come at a premium, so NetApp offers alternatives for customers who decide that the validation is not critical for them.
What if I need a validated product?
Although the FIPS 140 validation programs apply only to the cryptographic modules used by NetApp products and services, other certification programs exist that rely on or reference FIPS 140 protocols for encryption. For example, the Common Criteria evaluates security functionality, including encryption, and often relies on the FIPS 140 validation in issuing Common Criteria certification.
Because of the variety of products offered by NetApp, we recommend that you verify with your account manager that the specific product you are ordering includes FIPS 140 validated cryptographic modules, if you require such validation for your particular usage.
