FIPS Standards for Self-Encrypting Drive Technology

Frequently Asked Questions

 

What are FIPS 140-2 and FIPS 140-3 Standards?

FIPS (Federal Information Processing Standard) 140-2 and 140-3 are U.S. government standards that describe the encryption and security requirements that IT products should meet for sensitive, but unclassified, use.

What do FIPS 140-2 and FIPS 140-3 specify?

These standards ensure that a product uses sound security practices, such as approved, h4 encryption algorithms and methods. They also specify how to authorize individuals or processes to use the product, and how to design modules or components to interact securely with other systems.

Why is encryption necessary?

Drives are constantly retired (returned for warranty, repair, and expired lease agreements, or they are repurposed for other storage duties or sold), lost or stolen. When unprotected data leaves the owner’s control and is compromised, a company faces loss of revenue, market share, and customer confidence. They can be subject to civil penalties due to violation of data privacy regulations. This is catastrophic for any organization, and especially for smaller businesses.

Seagate estimates that at least 50,000 drives containing terabytes of data leave data centers daily. IBM estimates that 90 percent of drives returned for warranty contain readable data. According to industry experts such as the Ponemon Institute, the average cost per data breach increases every year, and was US$6.6 million in 2008, or US$202 per compromised record.1

The Ponemon Institute further estimates that 81 percent of laptops contain sensitive data, and 10 percent of all laptops are lost or stolen during their lifetime. It is estimated that every week 12,000 laptops are lost or stolen in U.S. airports alone. The average cost to a business when a laptop containing sensitive yet unencrypted data disappears is nearly US$50,000. In extreme cases, the costs can be nearly US$1 million.2

What levels are associated with FIPS 140-2 and FIPS 140-3?

FIPS 140-2 and FIPS 140-3 define four levels of security. FIPS 140-2 or FIPS 140-3 validation specify the security level to which the product adheres.

Level 1 is used for software-only encryption products, and it imposes limited security requirements. All components must be production-grade and egregious types of insecurity must be absent.
Level 2 requires role-based authentication, but not individual user authentication. Level 2 requires the ability to use physical locks or tamper-evident seals to detect physical tampering.

Level 3 adds physical tamper resistance to disassembly or modification. This resistance makes it almost impossible to hack. When the tamper-detection response is activated, the device must be able to erase critical security parameters. Level 3 includes robust cryptographic protection and key management, and identity-based authentication. There must be physical or logical separation between the interfaces by which critical security parameters enter and leave.

Level 4 includes advanced tamper protection. This level is designed for products that operate in physically unprotected environments.

What level of FIPS 140 validation did Seagate obtain?

Seagate® Self-Encrypting Drive (SED) storage devices are validated as FIPS 140-2 Level 2 conformant. In the future, Seagate SED devices will be validated as FIPS 140-3 Level 2 conformant.

Why did Seagate obtain FIPS 140 Level 2 validation?

Organizations of all types are demanding the encryption of data at rest to protect against loss or theft. FIPS 140-2 Level 2 validation is viewed as a mark of security and quality. FIPS certifies to all buyers that the Seagate FIPS SEDs meet the U.S. federal government requirements for security products.
In 2021, Seagate products will be FIPS 140-3 Level 3 validated.

What types of products require FIPS 140-2 and FIPS 140-3?

FIPS 140-2 applies to any product that stores or transmits sensitive data. This includes hardware products like link encryptors, hard drives, SSDs and other removable storage media. It includes software products that encrypt data during transit or while stored.

Do I really need this much security? Isn’t the operating system password enough?

You can bypass operating system security such as passwords by removing a drive and mounting it in another computer. Even BIOS ATA drive passwords are vulnerable unless you use them with a Seagate SED drive or similar. Encrypting the data on the drive is a proven way to protect it.

Which organizations or businesses require compliance with FIPS 140-2?

In the U.S., the National Institute of Standards and Technology (NIST) requires all federal agencies to use FIPS 140-2 Level 2 Validated products to secure data that is designated as “Sensitive but Unclassified” in computer and telecommunications systems (including voice systems).

In Canada, the Communications Security Establishment (CSE) requires federal agencies to use FIPS 140-2 Level 2 Validated cryptographic modules to secure data designated as Protected Information (A or B) in computer and telecommunications systems (including voice systems).

FIPS 140 validation is a prerequisite for a cryptographic product to be listed in the Canadian governments ITS Pre-qualified Products List. In the U.K., the Communications-Electronics Security Group recommends the use of FIPS 140 Validated cryptographic modules.

Civilian companies worldwide who contract to U.S., Canadian or U.K. federal government organizations that require FIPS 140-2 encryption compliance are also required to be compliant. Additionally, commercial companies-especially in finance, healthcare, education, and infrastructure (national security) verticals- increasingly require FIPS 140-2 compliance throughout the world. These companies want to follow the highest standard in protecting data. They recognize the rigor that goes into a FIPS-140 certification. They regard FIPS 140-2 compliance as the preferred standard for security and they choose to depend on this standard for their own encryption needs.

What are FIPS 140-2 and FIPS 140-3 validations?

FIPS 140-2 validation is a testing and certification program that verifies that a product meets the FIPS 140-2 standard. NIST established the Cryptographic Module Validation Program (CMVP) to validate products against these requirements.
FIPS 140-3 is the newest version of this FIPS 140 standard. Specifically, it represents the U.S. decision to adopt previous ISO standards.

What does it take to get a FIPS 140-2 certification?

To be FIPS 140-2 Validated or FIPS 140-3 Validated, a product must adhere to the stated FIPS design and implementation requirements, and be tested and approved by independent labs accredited by NIST.

Which FIPS 140 standard is current?

The 140 numbered FIPS publications are a series of security standards that specify requirements for cryptography modules. FIPS 140-1 was issued in 1994 but was been supplanted by FIPS 140-2 in 2001. FIPS 140-3 is the current version of the standard and it superseded FIPS 140-2 on September 22, 2019 and FIPS 140-3 testing began on September 22, 2020. FIPS 140-2 testing will continue through September 22, 2021. Concurrently with FIPS 140-3, FIPS 140-2 certified modules can remain active for five years after validation, or until September 21, 2026. All FIPS 140-2 validations will be moved to the historical list on September 21, 2026.

Is there a list of products that are FIPS 140-2 Validated?

NIST maintains a list of all commercially available products that have been FIPS 140-2 Validated. Go to https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search

Why is FIPS 140-2 important to Seagate sales partners?

Seagate sales partners can use the FIPS 140-2 validation, and the future FIPS 140-3 validation, as a marketing tool to demonstrate quality and critical security features that other products do not have. It creates an important distinction for today’s security-minded buyers.

What’s new about FIPS 140-3?

FIPS 140-3 comprises more automated validation and stricter security requirements. FIPS 140-3 aligns with two existing international standards and includes some modifications to its annexes.

  • ISO/IEC 19790:2012 – Security Requirements for Cryptographic Modules
  • ISO/IEC 24759:2017 – Test Requirements for Cryptographic Modules

What’s the timing for the transition to FIPS 140-3?

FIPS 140-3 testing starts 9/22/2020. Seagate will start taking new enterprise products through FIPS 140-3 in 2021.
Seagate will maintain FIPS 140-2 certification on products that are certified against FIPS 140-2. FIPS 140-2 certificates will remain valid until September 22, 2026. NIST will continue to accept change letter requests for FIPS 140-2 certificates up to September 22, 2026. NIST will start FIPS 140-3 certifications on September 22, 2020. Any new product certifications that we pursue after September 22, 2020 are scheduled to be FIPS 140-3 certifications.

What does the NIST “sunset” date mean on FIPS 140-2 certificates? What if a product sunset date falls before September 22, 2016?

As stated above, “Concurrently with FIPS 140-3, FIPS 140-2 certified modules can remain active for five years after validation, or until September 21, 2026. All FIPS 140-2 validations will be moved to the historical list on September 21, 2026.”
FIPS certificates are valid for five years after issue. If they are not extended, they sunset; which means they move to the historical list. FIPS certification can be extended through the 2SUB change letter process. As we get closer to the sunset date, Seagate will work with customers to submit a 2SUB for certificates that we want to extend. When NIST approves the 2SUB, they issue a new certificate and extend the sunset date. All indications are this should not be a problem.

Footnotes:

1 Ponemon Institute, 2008 Annual Study: U.S. Cost of a Data Breach, February, 2009, www.ponemon.org, as quoted in Data-breach costs rising, study finds, Ellen Messmer, Network World, 02/02/09.

2 Intel Study: Stolen Laptops Cost to Business; eWeek, April 23, 2009; Ponemon Institute Study, April 2009.