-5

I am making an application that needs to be FIPS 140-2 level 1 compliant (not certified).

I was wondering if there were any special requirements for the host we chose for our app server/crypto-module.

Is standard cloud hosting okay? Is colocation at a standard facility okay? What if the server is caged at a standard facility?

Is there special cloud hosting? Special colocation?

Can we host in our own building?

If anyone could provide me guidance I would appreciate it.

TheCatWhisperer
  • 133
  • 1
  • 1
  • 8
  • 4
    Have you read [FIPS 140-2](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)? If not, start there. – voretaq7 Jan 17 '14 at 19:45
  • Yes. But I want to make sure I am interpreting it correctly instead of taking chances. It mentions a production grade case, but nothing about the host. – TheCatWhisperer Jan 17 '14 at 23:07

1 Answers1

5

LITERALLY directly from FIPS 140-2:

Security Level 1 provides the lowest level of security. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved algorithm or Approved security function shall be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components. An example of a Security Level 1 cryptographic module is a personal computer (PC) encryption board.

Security Level 1 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system. Such implementations may be appropriate for some low-level security applications when other controls, such as physical security, network security, and administrative procedures are limited or nonexistent. The implementation of cryptographic software may be more cost-effective than corresponding hardware-based mechanisms, enabling organizations to select from alternative cryptographic solutions to meet lower-level security requirements.

(emphasis added)

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Does this apply to cloud hosts? If one was on a cloud hosting site, how would one define the crypto-module? All FIPS says is use a "production-grade" case. It makes no mention of the hosting environment or whether cloud hosting is okay. I am not trying to take any chances here filling in the blanks. – TheCatWhisperer Jan 17 '14 at 23:10
  • 1
    The standard is pretty clear on how to define a cryptographic module (Section 4.1. Read it.) -- In this context production grade has a pretty obvious meaning: Something like a Dell R210 server is "production-grade" ; A motherboard hotwired to a power supply on your desk with the hard drive hanging off by some cables is *not* "production-grade". For more details on what's expected contact your customer and determine their particular requirements for their particular application. FIPS documents do not supersede specific agencies' requirements - they're simply the lowest bar. – voretaq7 Jan 17 '14 at 23:44