The short answer? You can be assured that FIPS-certified SSDs meet federal cryptography standards for securing your data at rest. Now for a little bit more.

First, let’s take a step back. When people hear “cyberattack” or “cybersecurity” they often think of viruses, malware, ransomware, firewalls, and so on. In other words, mostly internet or network-related terms. Let’s also recognize that protecting or securing data at rest (DAR) is a critical part of comprehensive cybersecurity or zero trust solutions. In fact, securing data at rest is an important piece of the May 2021 Executive Order on Improving the Nation’s Cybersecurity.

Enter FIPS

When seeking storage solutions to secure data at rest, whether by mandate or simply to better protect sensitive information, you will invariably discover FIPS 140-2 certified SSDs. FIPS stands for Federal Information Processing Standards, which are maintained by the National Institute of Standards and Technology. NIST developed FIPS for use in computer systems by non-military American government agencies and government contractors.

The FIPS 140 series of standards are U.S. government computer security standards that specify requirements for cryptography modules used in systems to protect sensitive information. Quick history lesson: FIPS 140 has its roots in Federal Standard 1027, issued by the General Services Administration in 1982. Fed-Std-1027 defined requirements for devices that used the Data Encryption Standard in effect at the time. The DES itself was described in FIPS publication 46, first published in 1977.

Fast forward to today. We have two versions of the standard that are current and active today: FIPS 140-2 and FIPS 140-3. The FIPS 140-2 standard was approved in 2002 and FIPS 140-3 went into effect in 2019. All FIPS 140-2 certified devices will continue to be listed until 2026; any devices now entering the certification process are tested against the 140-3 standard. NIST provides for a long transition phase, so be assured that SSDs certified against the 140-2 standard will continue to be viable data security products for quite some time. BTW, note that FIPS 140 also defines four levels of security, levels defined for use in a variety of usage and environments. For example, a FIPS 140-2 Level 2 device must provide physical tamper-evidence as well as role-based authentication.

FIPS-certified vs FIPS-compliant

To become a FIPS-certified SSD, all hardware, firmware, and software of the security solution must be tested and approved by a NIST accredited independent laboratory.

The validation process generally takes 6 to 9 months, during which the validation team thoroughly examines detailed documentation and source code for the SSD and its firmware. Any failures during the testing process must be addressed; the testing process is repeated, from the beginning. 

Upon successful completion of the validation process, NIST issues a certificate number and lists the FIPS-certified SSD in a searchable database, along with all other FIPS-certified devices and products. This provides you the assurance that you can safely use the SSD in solutions to secure data at rest.

Sometimes you may see products marketed as “FIPS compliant.” Although this classification may suit your solution, look a little closer. Vendors use this labeling are claiming that the product meets FIPS requirements without having completed the certification process. Maybe components in the solution meet FIPS requirements or maybe the product is being evaluated. Quiz the vendor to find out exactly what stage the product is in and why the product is compliant but not certified. Without NIST certification or a path to validation, you’re never quite sure whether the solution will adequately protect your data.

Additional Resources

Whitepaper: Building a Citadel of Trust in a Zero Trust World

Whitepaper: Is Your Data at Rest (DAR) Truly Secure?

Blog: An Overview of Encryption Standards and Technologies

Blog: Pentagon Accelerates Adoption of ‘Zero Trust’ Cybersecurity

Blog: Is BitLocker Sufficient?

Blog: Hardware-Based Full Disk Encryption vs. Software-Based Full Disk Encryption