Understanding FIPS certification and compliance for video security

What is FIPS?

FIPS (Federal Information Processing Standards) is the data security and computer system standard in accordance with the Federal Information Security Management Act of 2002.

FIPS‑2 140 is the go-to cryptography module standard for many state and government agencies as well as public sector enterprises. All U.S. government agencies, including their suppliers and contractors, are required to meet the standards as set out within the FIPS certification, which we will come back to later. It’s one of the most stringent and reputable sets of standards available, which could explain why more industries – including the video surveillance industry – are leveraging this certification for more secure data and software.

The standard itself was brought into place by the National Institute of Science and Technology (NIST) to protect government data and ensure that those working closely with government agencies comply within the set of standards before they can access any data.

As the gatekeeper of highly sensitive information, the government must maintain the highest level of security and integrity when it comes to safeguarding that information.

Why is FIPS compliance so important in the security camera industry?

With the move to cloud technologyin the cloud, commercial security and commercial security cameras are enabling businesses to scale and grow more flexibly. But there are many other benefits influencing this move. Legacy analog systems have their limitations. Previously, security teams with analog systems had to rely on manual footage monitoring, and base their decisions on previously identified events.

With the introduction of cloud and video analytics technology, security teams and camera manufacturers are empowered by the added intelligence from AI technology and analytics. By accurately monitoring hours of footage over a ²⁴⁄₇ period, these technologies minimize the occurrence of human error. This, paired with AI solutions, helps security professionals identify patterns and make faster and more accurate decisions. 

This new wave of video analytics and video security technology, however, presents new compliance issues and data challenges, especially when it comes to the encryption and protection of data. Vehicles, people, and other identifiable factors all fall into the category of PII, and cloud services and solutions are likely to encrypt that data at rest. This is where FIPS compliance and FIPS certification are vital.

What is FIPS compliance?

So, what makes a video camera or security system FIPS compliant? To comply with FIPS compliance requirements, an organization’s IT and surveillance systems must meet the requirements outlined in the FIPS publication. These can include 140, 180, 186, 197, 198, 199, 200, 201, and 202. 

But FIPS compliance does not extend as far as certification. Demonstrating FIPS compliance means that only parts of the product may meet the FIPS guidelines and the system has not been tested as a whole. If a product is deemed FIPS compliant, but not FIPS certified, it may have failed one or more tests at an NIST lab, or is still awaiting certification. That means there could still be vulnerabilities within the system, and validated organizations will not be able to work with this software or product. 

What does it mean to be FIPS certified?

For a video security system to become FIPS certified, it needs to undergo rigorous testing independently by an NIST approved lab. The lab will determine whether it meets the stringent standards of the FIPS and passed testing. 

To begin the process, it’s recommended that a system is examined for potential vulnerabilities or areas that require further scrutinization. These are the areas that will be necessary for the lab to approve and are sometimes referred to as ​‘cryptographic boundaries’.

The differentiation between compliance and certification comes here: to obtain FIPS certification you must ensure your system is FIPS compliant first. This can be done by assessing your system against the FIPS guidelines which will highlight areas of improvement. This is the best way to get your system ready for FIPS certification. 

What’s the difference between FIPS compliant and FIPS certified?

For a security solution to be deemed FIPS certified, its entire product must meet the requirements of the FIPS (Federal Information Processing Information Standards) and adhere to its standards pertaining document processing, encryption and dissemination.

All federal agencies, government contractors and city surveillance camera suppliers should be compliant with FIPS as well and have their FIPS certificate.

During the certification process, all file transfer software and server applications are rigorously tested to ensure they meet the FIPS standard. A NIST approved lab will test the system to ensure its certification. This process generally takes around 6 – 9 months. If any software or code fails during the testing process, it needs to be corrected, and the testing process restarted.

This is also applicable to software and code changes after certification, where the code needs to be re-validated to ensure no new errors have entered the system. 

Compliance is a lot easier to obtain, but it doesn’t give you the same authority to work with a government organization or agency as certification does. To be deemed compliant, only parts of the system may need the requirements of the system, and the product has not been approved by the NIST testing labs.

What is FIPS 140 – 2?

Both FIPS 140 – 1 and FIPS 140 – 2 are standards for the implementation of cryptographic modules. Within the set of standards, those working with security devices will hear FIPS 140 – 2 referred to often. FIPS 140 is important because it covers cryptographic modules and testing requirements in both hardware and software. This is the standard set out for handling cryptographic modules where data is encrypted at rest and in transit.

In security devices such as video cameras, these cryptographic modules must be FIPS certified or compliant to protect the modules from being hacked, altered or tampered with. Telecommunications systems and many cloud applications encrypt their data at rest in storage systems, so are also applicable to the standard.

What is FIPS 197?

The Advanced Encryption Standard, or FIPS 197, is a publicly available cryptographic algorithm used by the NSA. The FIPS 197 certification looks more closely at the hardware encryption algorithms, and approves the algorithm to protect electronic data. It’s important for security vendors to be able to differentiate the two because the FIPS 140 – 2 is the more advanced level of the FIPS 197.

What if a provider is not FIPS certified?

You might be wondering, if FIPS compliance is met, is certification still required? Without FIPS certification, an organization may need to go to extra lengths to demonstrate their systems are safe to operate. This can lead to unnecessary downtime, a strain on resources and interruptions on operations. It could also create limitations in the product’s deployment, as parts of the IT system may not meet FIPS-140 requirements.

Generally, it’s in the best interest of the organization to comply with certification since it provides peace of mind above all that sensitive data protected under one of the world’s most secure certifications standards.

Which types of organizations need to be FIPS certified?

If an organization works within the federal government department and collects, stores, transfers, shares or disseminates sensitive information, certification is mandatory.

In the realm of security technology this is applicable to organizations working with video technology and government security cameras due to the presence of PII.

But FIPS certification is recognized around the world, and is believed to be one of the best ways to ensure cryptographic modules are secure. Many organizations outside of the government still employ FIPS standards so they can be sure they are in line with some of the best global security standards. Other fields such as healthcare, manufacturing and financial services also comply with FIPS 140 – 2.

How does an organization become FIPS validated?

To become FIPS compliant there are a number of FIPS requirements that a government agency security system or IT system must meet including: 

FIPS 140 – 2

A system with the FIPS 140 – 2 certificate is confirmed to have been tested and formally validated by the U.S. government as part of the FIPS, but there are further iterations of the certification.

FIPS 140 – 2 Level 1: This pertains to protection grade equipment and externally tested algorithms.

FIPS 140 – 2 Level 2: Under level 2, requirements are added for physical tamper-evidence and role based authentication.

FIPS 140 – 2 Level 3: This allows for cryptographic modules to be used on general purpose PCs, but the system must meet the minimum requirements.

FIPS 140 – 2 Level 4: This provides the highest level of security, providing a high level of protection around the entire cryptographic module with the ability to detect and respond to unauthorized attempts at physical access.

Final words on FIPS certified vs. compliance

The introduction of the FIPS publication was ultimately to protect sensitive data and information in the U.S. and beyond. The U.S. government works with many service providers and contractors, meaning their data could be subject to hacking, altering, and tampering without FIPS encryption standards and stringent guidelines.

NIST introduced the guidelines for this reason, but the benefit to organizations obtaining certification is that they can attest to the fact their security systems adhere to some of the most important and recognizable guidelines in the world. This shows customers that you are operating a system that is secure, protected, and effective.