Operating in compliance with national and international information security and engineering standards.
FIPS 140-2 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware. NetApp offers cryptographic modules that have achieved FIPS 140-2 validation.
The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware that protect sensitive information. Compliance with the standard is mandated for use by U.S. government agencies, and it is also often used in such regulated industries as financial services and healthcare.
A cryptographic module is a piece of hardware, software, or a component of either that performs encryption operations. Cryptographic modules include cryptographic algorithms. Under the FIPS 140-2 standard, both the algorithm and the module are evaluated for compliance, using programs that are jointly developed by the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS).
The Cryptographic Module Validation Program (CMVP) is the security accreditation program for cryptographic modules. The Cryptographic Algorithm Validation Program (CAVP) provides guidelines for validating the effectiveness of FIPS-approved and NIST-recommended cryptographic algorithms. A NIST-accredited third-party lab tests these algorithms and their components and validates their implementation and strength through this program.
FIPS 140-2 security requirements encompass 11 areas related to the design, strength, and operation of a cryptographic module—for example, cryptographic module specification and cryptographic key management. Each area includes a description of the methods that the NIST lab uses to evaluate the module.
In each of the 11 areas, FIPS 140-2 defines four security levels. Level 1 is the least restrictive, specifying the lowest level of security, and Level 4 specifies the highest level. Each level builds on the previous one, requiring more evidence and engineering of the product to demonstrate compliance.
Accredited third-party labs perform validation tests of the cryptographic modules against FIPS 140-2 requirements, issuing a validation certificate that includes the module’s overall rating.
NetApp takes a variety of approaches to FIPS 140-2 compliance. This is because NetApp offers a variety of hardware, software, and services, which can include various components of the cryptographic modules validated under the standard.
FIPS 140-2 Level 1 validated
FIPS 140-2 Level 2 validated self-encrypting drives
NetApp purchases self-encrypting drives (SEDs) that have been FIPS 140-2 validated by the original equipment manufacturer (OEM); customers seeking these drives must specify them when ordering. Drives are validated at Level 2, but the rest of the system is not validated. The following NetApp products can leverage validated SEDs:
Beyond FIPS 140-2 Level 2
Several NetApp products can be paired with an external key manager with a Hardware Security Module (HSM) that has achieved Level 3 validation. This does not make the entire solution Level 3, but offers the assurance that the keys are stored at this level.
For more information, including the certificate and its related security policy, click the certification number. Contact NetApp Support or your NetApp account manager for more information on which ONTAP and Element software versions are available with FIPS 140-2 validated modules.
What’s the difference between FIPS 140-2 validation and FIPS 140-2 compliance?
FIPS 140-2 validation of a cryptographic module means that it has completed the CMVP validation process and been certified. Products and services that implement those validated cryptographic modules for encryption or cryptographic functions in compliance with the security policy can be said to be in “compliance” with the standard.
Are all encrypting drives that NetApp sells FIPS 140-2 validated?
No. Level 2 drives come at a premium, so NetApp offers alternatives for customers who decide that the validation is not critical for them.
What if I need a validated product?
Although the FIPS 140-2 validation programs apply only to the cryptographic modules used by NetApp products and services, other certification programs exist that rely on or reference FIPS 140-2 protocols for encryption. For example, the Common Criteria evaluates security functionality, including encryption, and often relies on the FIPS 140-2 validation in issuing Common Criteria certification.
Because of the variety of products offered by NetApp, it is recommended that you verify with your account manager that the specific product you are ordering includes FIPS 140-2 validated cryptographic modules, if you require such validation for your particular usage.
Leverage ONTAP to build a Zero Trust architecture to protect company and customer data across your hybrid cloud.
Lists NetApp drives that are FIPS 140-2 validated with supporting details. (Login required.)
Describes SANtricity full disk encryption, support for FIPS 140-2 validated drives, and internal and external key management.
Explore NetApp Storage Encryption, NVMe Self-Encrypting Drives, NetApp Volume Encryption, and NetApp Aggregate Encryption.
The official NIST publication defining the FIPS 140-2 standard.
Certification of NetApp products to the Common Criteria (ISO/IEC 15408).