FIPS 140-2
Federal Information Processing Standards (FIPS) Publication 140-2 specifies security requirements for cryptographic modules. There is a lot of confusion when it comes to terminology - FIPS compliant vs. FIPS validated - and there is a significant difference between the two. We'll try to clarify some of that and explain how it applies to Virtru.
FIPS Compliant
Cryptographic modules are typically described as FIPS compliant when they utilize FIPS compliant encryption algorithms, such as AES-256 or RSA-2048.
FIPS Validated
In order for a cryptographic module to be FIPS validated, it must undergo an independent examination by a National Institute of Standards and Technology (NIST) accredited lab. The examination validates that the module is implemented in accordance with FIPS 140-2 requirements. Validated modules are issued certificates, which can be viewed on the Cryptographic Modules Validation Program (CMVP) website.
Requirements
The Federal government mandates that all encryption is performed by FIPS validated cryptographic modules. This requirement is also typically required by State and Local governments, government contractors, and government services providers. Compliance programs such as FedRAMP, CMMC, CJIS, NIST SP 800-171, among others, specifically demand FIPS validation.
FIPS 140-2 at Virtru
VirtruCrypto
Virtru has developed an encryption module specifically designed for the browser in order to enhance our client-side encryption support of FIPS 140-2. The module was validated by the Cryptographic Module Validation Program (CMVP) on February 21, 2023 under certificate #4440. This module is integrated into many of our encryption clients (refer to the table under Client-side below for more details).
Server-side
As a part of our FedRAMP authorization program, Virtru leverages FIPS 140-2 validated modules behind the scenes to encrypt data-in-transit and data-at-rest in the Virtru Data Protection Platform.
Client-side
All of Virtru’s encryption algorithms comply with FIPS 140-2 (AES-256), however, not all Virtru clients leverage FIPS validated encryption modules. Of those that do leverage FIPS validated modules, not all clients are enabled in FIPS mode by default.
In some clients, we use 3rd-party encryption libraries that have been certified by, or for, companies such as Google, Microsoft, and Apple (more details below). Virtru has not been required to go through a validation directly in those instances.
Please review the chart below to understand which clients support FIPS by default. If you need to ensure FIPS 140-2 compliance across Virtru clients in use, please contact support. Clients not on this list do not leverage FIPS validated modules.
| Client | Module Name | CMVP Certificate | Notes |
|---|---|---|---|
| Google Chrome Browser Plugin - Gmail | VirtruCrypto | #4440 | FIPS mode is not enabled by default. Please contact support to enable FIPS mode. |
| Microsoft Outlook (Microsoft 365 Add-In) | VirtruCrypto | #4440 | FIPS mode is not enabled by default. Please contact support to enable FIPS mode. |
| Microsoft Outlook (Desktop Plug-In) | Windows | Varies by Windows version | The Outlook Desktop Plugin leverages the encryption module of the underlying Windows operating system. Customers should ensure that Windows is configured in FIPS mode to ensure that Virtru leverages the FIPS validated Windows encryption module. For more information on configuring different Windows versions in FIPS mode refer to: https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation Note that this does not apply to the Outlook Add-in for Desktop, Mobile, Web (Office 365). |
| iOS | corecrypto | Varies by iOS version | Beginning with iOS 13, iOS devices will leverage the underlying encryption module provided by Apple. Apple takes all corecrypto modules through FIPS 140-2/140-3 validation. For more information, refer to Apple’s iOS Certification Guide. |
| Virtru Data Protection Gateway (On-premises) | Bouncy Castle | #3154 | Please contact your Customer Success Manager to request FIPS mode configuration. The Virtru-hosted Gateway does not currently support a FIPS configuration. |
| Virtru Private Key Store | N/A | N/A | The Virtru Private Key Store does not directly provide a FIPS validated encryption module; however, you can integrate with a FIPS validated Hardware Security Module (HSM) of your choice. For example, AWS CloudHSM. |
| Virtru Secure Share | VirtruCrypto | #4440 | FIPS mode is not enabled by default. Please contact support to enable FIPS mode. |
| Virtru Secure Reader | VirtruCrypto | #4440 | FIPS mode is not enabled by default. Please contact support to enable FIPS mode. |