Some vendors offer FIPS 140-2 certified SSDs to consumers who wish to securely store and access data at rest. Originally created for government agencies and contractors, FIPS is now used by professionals in many non-governmental industries like healthcare, finance and tech. But why should you buy FIPS-Certified SSDs instead of purchasing FIPS-Compliant drives? We underscore the value of exhaustively tested and proven secure solid state drives below.
Answering Your FAQs About FIPS-Certified SSDs
First, let’s answer a few frequently asked questions about FIPS Certification and SSDs.
What Are SSDs?
SSDs are solid state drives. Solid state drives were originally developed in the 1970s—just a few decades after HDDs became commercially available. The original solid state drives were quickly followed by flash SSDs in the 1980s.
Unlike traditional HDDs, today’s SSDs are small, portable, durable and far more shock-resistant. Many 21st century SSDs offer high-capacity storage, while also retrieving data far faster than previous iterations. Our self-encrypting solid-state drives allow for secure DAR storage.
DIGISTOR SSDs are commonly used in laptops (both rugged and standard), desktops, military UAVs and other devices that require secure data storage.
What is FIPS Certification?
FIPS stands for “Federal Information Processing Standard.” According to the National Institute of Standards and Technology, “FIPS are standards and guidelines for federal computer systems.”
These standards were developed by the NIST “in accordance with the Federal Information Security Management Act (FISMA).” They are also “approved by the Secretary of Commerce.” These government computer security standards specify requirements for cryptographic modules used in systems to protect sensitive information.
This set of standards was intended for use by federal employees but is now applied to products developed for public consumption. Today, professionals in healthcare, the finance sector, and many other industries reference FIPS before choosing technology to support their operations and protect sensitive data.
For example, we have SSDs that are FIPS-Certified and economically accessible. At an affordable price point, they are available to both government and private organizations. In addition to being FIPS-Certified, our drives are also listed on the NSA’s CSfC Components List as well as the NIAP Product Compliant List (PCL). By meeting Common Criteria, DIGISTOR’s NVMe SSDs became the first commercially priced SSDs to receive full NIAP listing status.
In addition to being on the NIAP PCL, DIGISTOR SSDs are on the NSA’s Commercial Solutions for Classified (CSfC) Components List.
How Did FIPS Emerge?
FIPS 140 has its roots in Federal Standard 1027—which was issued by the General Services Administration in 1982. Fed-Std-1027 defined requirements for devices that used the Data Encryption Standard in effect at the time. The DES itself was described in FIPS publication 46—first published in 1977. FIPS emerged not long after the wide adoption of HDDs and the introduction of SSDs.
What’s the Difference Between FIPS 140-2 and FIPS 140-3?
Today, we have two versions of the standard: FIPS 140-2 and FIPS 140-3. The FIPS 140-2 standard was approved in 2002, and FIPS 140-3 went into effect in 2019. All FIPS 140-2 certified devices will continue to be listed until 2026. Any devices now entering the certification process are tested against the 140-3 standard.
NIST provides for a long transition phase, so be assured that SSDs certified against the 140-2 standard will continue to be viable data security products for quite some time. FIPS 140 defines four levels of security—each of which is defined for use in a variety of circumstances and environments. For example, a FIPS 140-2 Level 2 device must provide physical tamper-evidence as well as role-based authentication.
Up-to-date FIPS can be found here through the NIST’s Computer Security Resource Center. To ensure SSDs are actually compliant with federal information processing standards, search each product via the NIST’s Cryptographic Module Validation Program here.
How Does an SSD Become FIPS-Certified?
The journey to FIPS-Certification is a long and often arduous one. To become a FIPS-certified SSD, all hardware, firmware, and software of the security solution must be tested and approved. Only an NIST accredited independent laboratory can test and approve SSDs nominated for FIPS-Certification.
This validation process generally takes 6 to 9 months. During the testing phase, a NIST validation team thoroughly examines detailed documentation and source code for the SSD and its firmware. Any failures that occur during this testing process must be addressed by the manufacturer. Once the failures are addressed, the testing process is repeated from the very beginning.
Upon successful completion of the validation process, NIST issues a certificate number and lists the FIPS-certified SSD in a searchable database. This database includes all other FIPS-certified devices and products. FIPS Certification assures consumers that they can reliably use our SSDs to secure even the most sensitive DAR.
When is an SSD FIPS-Certified vs FIPS-Compliant?
As noted above, some SSDs achieve FIPS Certification after they are tested, altered, retested and finally approved by an NIST accredited lab. While some SSDs are FIPS-Certified, others are labeled “FIPS-compliant.”
A FIPS-compliant drive might meet acceptable industry standards, but you’re taking the word of the vendor—not a certifying body. However, FIPS-Certified self encrypting drives offer a greater level of security that has been tested and proven by experts. Consumers should be wary of SSDs labeled “FIPS-compliant,” as some vendors use this labeling to equate their product to a FIPS-Certified product.
How Can I Be Sure That FIPS-Compliant Drives Are On the Path to Certification?
In some cases, components of those drives do meet FIPS requirements. Other times, the drives are being evaluated for certification and are “waiting” in the compliant security categorization.
To ensure the product you plan to purchase meets your data storage needs, ask the vendor if their drives comply with FIPS guidelines and are currently being tested. Find out exactly which stage the product is in and ask why the product is compliant but not certified.
Without NIST certification or a path to validation, you’re never quite sure whether the solution will adequately protect your data.
Why Should I Buy FIPS-Certified SSDs?
The short answer? You can be assured that FIPS-certified SSDs meet federal information processing standards for securing your data at rest, but let’s delve a bit deeper.
When people hear “cyberattack” or “cybersecurity” they often think of viruses, malware, ransomware, firewalls, and so on. In other words, we think of cyberattacks as relegated to devices connected to the internet.
However, devices that are completely disconnected from a network can still be at risk of attack. As such, protecting or securing data at rest (DAR) is a critical part of comprehensive cybersecurity or zero trust solutions. In fact, securing data at rest is an important piece of the May 2021 Executive Order on Improving the Nation’s Cybersecurity.
Our FIPS-Certified self-encrypting drives ensure DAR is well-protected from online and brute force attacks.