Menu

Compliance

Operating in compliance with national and international information security and engineering standards.

gray bands stripe

Federal Information Processing Standard (FIPS) Publication 140-2

FIPS 140-2 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware. NetApp offers cryptographic modules that have achieved FIPS 140-2 validation.

About FIPS 140-2

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware that protect sensitive information. Compliance with the standard is mandated for use by U.S. government agencies, and it is also often used in such regulated industries as financial services and healthcare.

A cryptographic module is a piece of hardware, software, or a component of either that performs encryption operations. Cryptographic modules include cryptographic algorithms. Under the FIPS 140-2 standard, both the algorithm and the module are evaluated for compliance, using programs that are jointly developed by the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS).

The Cryptographic Module Validation Program (CMVP) is the security accreditation program for cryptographic modules. The Cryptographic Algorithm Validation Program (CAVP) provides guidelines for validating the effectiveness of FIPS-approved and NIST-recommended cryptographic algorithms. A NIST-accredited third-party lab tests these algorithms and their components and validates their implementation and strength through this program.

FIPS 140-2 security requirements encompass 11 areas related to the design, strength, and operation of a cryptographic module—for example, cryptographic module specification and cryptographic key management. Each area includes a description of the methods that the NIST lab uses to evaluate the module.

In each of the 11 areas, FIPS 140-2 defines four security levels. Level 1 is the least restrictive, specifying the lowest level of security, and Level 4 specifies the highest level. Each level builds on the previous one, requiring more evidence and engineering of the product to demonstrate compliance.

  • Level 1 validation requires the cryptographic module to contain FIPS-approved algorithms. Typically, software attains Level 1 validation because the remaining levels specify physical requirements, which cannot be addressed through software.
  • Level 2 validation adds physical requirements, such as tamper evidence and opacity. If someone tries to tamper with the device, there should be evidence of it—typically, breakaway screws or adhesive that cannot easily be removed. Opacity requires that a human cannot directly observe what the module that is performing the cryptographic operations is doing. Typically, vendors encase the cryptographic module to meet the opacity requirement.
  • Level 3 validation adds requirements for physical tamper resistance to prevent intruders from accessing the cryptographic module. Mechanisms may include strong enclosures and circuitry that detects when the module doors have been opened.
  • Level 4 validation requires a complete security envelope that detects and immediately responds to all unauthorized physical access.


Accredited third-party labs perform validation tests of the cryptographic modules against FIPS 140-2 requirements, issuing a validation certificate that includes the module’s overall rating.

NetApp and FIPS 140-2

NetApp takes a variety of approaches to FIPS 140-2 compliance. This is because NetApp offers a variety of hardware, software, and services, which can include various components of the cryptographic modules validated under the standard.

  • For covered software, NetApp includes cryptographic modules that have achieved Level 1 validation for data-in-flight and data-at-rest encryption.
  • For covered hardware, NetApp acquires both hardware and software modules that have been FIPS 140-2 validated by the suppliers of those components. For example, the NetApp Storage Encryption solution leverages FIPS Level 2 validated drives.
  • Sometimes, features of a NetApp product can use a validated module in a way that complies with the standard even though the product or feature is not within the boundary of the validation. For example, NetApp Volume Encryption is FIPS 140-2 compliant. Although not separately validated, it leverages the NetApp CryptoMod, which is Level 1 validated in certain versions of ONTAP in a FIPS-compliant manner. The security policy that is created as part of the validation specifies how to use the module so that it complies with the FIPS standard.
NetApp in-scope products and services

FIPS 140-2 Level 1 validated

  • The NetApp Cryptographic Security Module (NCSM), used for SSH and TLS communication through various products including certain versions of ONTAP and Element software.
  • Certain versions of ONTAP include NetApp CryptoMod, used for Onboard Key Manager, NetApp Volume Encryption (NVE), and NetApp Aggregate Encryption (NAE). NVE and NAE technologies enable encryption of data at the volume and aggregate level respectively, making the solution agnostic of the physical drive.

FIPS 140-2 Level 2 validated self-encrypting drives

NetApp purchases self-encrypting drives (SEDs) that have been FIPS 140-2 validated by the original equipment manufacturer (OEM); customers seeking these drives must specify them when ordering. Drives are validated at Level 2, but the rest of the system is not validated. The following NetApp products can leverage validated SEDs:

  • AFF A-Series and FAS storage systems
  • E-Series and EF-Series storage systems
  • StorageGRID Object Storage (when using E-Series and EF-Series systems)
  • NetApp HCI

Beyond FIPS 140-2 Level 2

Several NetApp products can be paired with an external key manager with a Hardware Security Module (HSM) that has achieved Level 3 validation. This does not make the entire solution Level 3, but offers the assurance that the keys are stored at this level.

FIPS 140-2 validated NetApp certificates

For more information, including the certificate and its related security policy, click the certification number. Contact NetApp Support or your NetApp account manager for more information on which ONTAP and Element software versions are available with FIPS 140-2 validated modules.

  • NetApp CryptoMod 2.1 Cert #3387 (Level 1)
  • NetApp CryptoMod 2.0 Cert #3072 (Level 1)
  • NetApp Cryptographic Security Module (NCSM) Cert #2648 (Level 1)
  • AFF A-Series, FAS, E-Series, and EF-Series storage systems; StorageGRID Object Storage; and NetApp HCI can use validated SEDs; they are listed on the FIPS Matrix. (Login required.)
Frequently asked questions

What’s the difference between FIPS 140-2 validation and FIPS 140-2 compliance?

FIPS 140-2 validation of a cryptographic module means that it has completed the CMVP validation process and been certified. Products and services that implement those validated cryptographic modules for encryption or cryptographic functions in compliance with the security policy can be said to be in “compliance” with the standard.

Are all encrypting drives that NetApp sells FIPS 140-2 validated?

No. Level 2 drives come at a premium, so NetApp offers alternatives for customers who decide that the validation is not critical for them.

What if I need a validated product?

Although the FIPS 140-2 validation programs apply only to the cryptographic modules used by NetApp products and services, other certification programs exist that rely on or reference FIPS 140-2 protocols for encryption. For example, the Common Criteria evaluates security functionality, including encryption, and often relies on the FIPS 140-2 validation in issuing Common Criteria certification.

Because of the variety of products offered by NetApp, it is recommended that you verify with your account manager that the specific product you are ordering includes FIPS 140-2 validated cryptographic modules, if you require such validation for your particular usage.

green cubes on wires

ONTAP Data Security

Leverage ONTAP to build a Zero Trust architecture to protect company and customer data across your hybrid cloud.

blue meshed wires

FIPS Matrix

Lists NetApp drives that are FIPS 140-2 validated with supporting details. (Login required.)

blue balls around a yellow tile

SANtricity Drive Security for E-Series Systems

Describes SANtricity full disk encryption, support for FIPS 140-2 validated drives, and internal and external key management.

orange and white cubes

NetApp: Four encryption-at-rest solutions

Explore NetApp Storage Encryption, NVMe Self-Encrypting Drives, NetApp Volume Encryption, and NetApp Aggregate Encryption.

various books on carpet

FIPS Pub 140-2: Security Requirements for Cryptographic Modules

The official NIST publication defining the FIPS 140-2 standard.

gray cubes line up

Common Criteria

Certification of NetApp products to the Common Criteria (ISO/IEC 15408).