FIPS Compliance vs Certified: Learn the Differences & Levels (2024)

Big data is fast becoming one of the most valuable commodities of modern life. And, as more and more businesses scale their security solutions, by deploying more sophisticated technology, we’re seeing an increase in big data and AIanalytics.

Intelligent physical security solutions enable companies to leverage big data to operate more effectively, improving their decision-making and identifying trends that can boost efficiency. Data is also required for auditing purposes and to improve responsetimes.

But with data comes heavy regulation and compliance considerations, particularly with data that uses PII (Personally Identifiable Information). If your business works with security technology, you’ve likely heard of FIPS certification and compliance. They’re not only vital to protect data, but to demonstrate secure and reputable operations that are on par with the U.S. governmentsecurity.

There is often some confusion surrounding the nuances of FIPS compliance and FIPS certification. This guide will break down the difference between certifications and compliance, and why they are important when considering video securityproviders.

What isFIPS?

FIPS (Federal Information Processing Standards) is the data security and computer system standard in accordance with the Federal Information Security Management Act of 2002.

FIPS‑2 140 is the go-to cryptography module standard for many state and government agencies as well as public sector enterprises. All U.S. government agencies, including their suppliers and contractors, are required to meet the standards as set out within the FIPS certification, which we will come back to later. It’s one of the most stringent and reputable sets of standards available, which could explain why more industries – including the video surveillance industry – are leveraging this certification for more secure data andsoftware.

The standard itself was brought into place by the National Institute of Science and Technology (NIST) to protect government data and ensure that those working closely with government agencies comply within the set of standards before they can access anydata.

As the gatekeeper of highly sensitive information, the government must maintain the highest level of security and integrity when it comes to safeguarding that information.

Why is FIPS compliance so important in the security cameraindustry?

With the move to cloud technologyin the cloud, commercial security and commercial security cameras are enabling businesses to scale and grow more flexibly. But there are many other benefits influencing this move. Legacy analog systems have their limitations. Previously, security teams with analog systems had to rely on manual footage monitoring, and base their decisions on previously identifiedevents.

With the introduction of cloud and video analytics technology, security teams and camera manufacturers are empowered by the added intelligence from AI technology and analytics. By accurately monitoring hours of footage over a²⁴⁄₇ period, these technologies minimize the occurrence of human error. This, paired with AI solutions, helps security professionals identify patterns and make faster and more accuratedecisions.

What is FIPScompliance?

So, what makes avideo camera or security system FIPS compliant? To comply with FIPS compliance requirements, an organization’s IT and surveillance systems must meet the requirements outlined in the FIPS publication. These can include 140, 180, 186, 197, 198, 199, 200, 201, and202.

But FIPS compliance does not extend as far as certification. Demonstrating FIPS compliance means that only parts of the product may meet the FIPS guidelines and the system has not been tested as awhole. If aproduct is deemed FIPS compliant, but not FIPS certified, it may have failed one or more tests at an NIST lab, or is still awaiting certification. That means there could still be vulnerabilities within the system, and validated organizations will not be able to work with this software orproduct.

What does it mean to be FIPScertified?

For avideo security system to become FIPS certified, it needs to undergo rigorous testing independently by an NIST approved lab. The lab will determine whether it meets the stringent standards of the FIPS and passedtesting.

To begin the process, it’s recommended that asystem is examined for potential vulnerabilities or areas that require further scrutinization. These are the areas that will be necessary for the lab to approve and are sometimes referred to as ‘cryptographic boundaries’.

The differentiation between compliance and certification comes here: to obtain FIPS certification you must ensure your system is FIPS compliant first. This can be done by assessing your system against the FIPS guidelines which will highlight areas of improvement. This is the best way to get your system ready for FIPS certification.

What’s the difference between FIPS compliant and FIPScertified?

For asecurity solution to be deemed FIPS certified, its entire product must meet the requirements of the FIPS (Federal Information Processing Information Standards) and adhere to its standards pertaining document processing, encryption and dissemination.

All federal agencies, government contractors and city surveillance camera suppliers should be compliant with FIPS as well and have their FIPS certificate.

During the certification process, all file transfer software and server applications are rigorously tested to ensure they meet the FIPS standard. ANIST approved lab will test the system to ensure its certification. This process generally takes around 6 – 9 months. If any software or code fails during the testing process, it needs to be corrected, and the testing processrestarted.

What is FIPS 140 – 2?

Both FIPS 140 – 1 and FIPS 140 – 2 are standards for the implementation of cryptographic modules. Within the set of standards, those working with security devices will hear FIPS 140 – 2 referred to often. FIPS 140 is important because it covers cryptographic modules and testing requirements in both hardware and software. This is the standard set out for handling cryptographic modules where data is encrypted at rest and intransit.

In security devices such as video cameras, these cryptographic modules must be FIPS certified or compliant to protect the modules from being hacked, altered or tampered with. Telecommunications systems and many cloud applications encrypt their data at rest in storage systems, so are also applicable to thestandard.

What is FIPS197?

The Advanced Encryption Standard, or FIPS 197, is apublicly available cryptographic algorithm used by the NSA. The FIPS 197 certification looks more closely at the hardware encryption algorithms, and approves the algorithm to protect electronic data. It’s important for security vendors to be able to differentiate the two because the FIPS 140 – 2 is the more advanced level of the FIPS197.

What if aprovider is not FIPScertified?

You might be wondering, if FIPS compliance is met, is certification still required? Without FIPS certification, an organization may need to go to extra lengths to demonstrate their systems are safe to operate. This can lead to unnecessary downtime, astrain on resources and interruptions on operations. It could also create limitations in the product’s deployment, as parts of the IT system may not meet FIPS-140 requirements.

Generally, it’s in the best interest of the organization to comply with certification since it provides peace of mind above all that sensitive data protected under one of the world’s most secure certifications standards.

Which types of organizations need to be FIPScertified?

If an organization works within the federal government department and collects, stores, transfers, shares or disseminates sensitive information, certification ismandatory.

In the realm of security technology this is applicable to organizations working with video technology and government security cameras due to the presence ofPII.

But FIPS certification is recognized around the world, and is believed to be one of the best ways to ensure cryptographic modules are secure. Many organizations outside of the government still employ FIPS standards so they can be sure they are in line with some of the best global security standards. Other fields such as healthcare, manufacturing and financial services also comply with FIPS 140 – 2.

How does an organization become FIPSvalidated?

To become FIPS compliant there are anumber of FIPS requirements that agovernment agency security system or IT system must meetincluding:

FIPS 140 – 2

A system with the FIPS 140 – 2 certificate is confirmed to have been tested and formally validated by the U.S. government as part of the FIPS, but there are further iterations of the certification.

FIPS 140 – 2 Level 1: This pertains to protection grade equipment and externally testedalgorithms.

FIPS 140 – 2 Level 2: Under level 2, requirements are added for physical tamper-evidence and role based authentication.

FIPS 140 – 2 Level 3: This allows for cryptographic modules to be used on general purpose PCs, but the system must meet the minimum requirements.

FIPS 140 – 2 Level 4: This provides the highest level of security, providing ahigh level of protection around the entire cryptographic module with the ability to detect and respond to unauthorized attempts at physicalaccess.

Final words on FIPS certified vs.compliance

The introduction of the FIPS publication was ultimately to protect sensitive data and information in the U.S. and beyond. The U.S. government works with many service providers and contractors, meaning their data could be subject to hacking, altering, and tampering without FIPS encryption standards and stringentguidelines.

NIST introduced the guidelines for this reason, but the benefit to organizations obtaining certification is that they can attest to the fact their security systems adhere to some of the most important and recognizable guidelines in the world. This shows customers that you are operating asystem that is secure, protected, andeffective.