This week, FedRAMP published several Q&A’s for Cloud Service Providers(CSPs) :
Cloud Service Providers (CSPs)
Here are some basic questions our FedRAMP SMEs get about FIPS 140-2 validation compliance for Multi Factor Authentication (MFA).
Q: I hear FIPS-validation does not apply to One-Time-Password (OTP) authentication. Is this true or false?
A: This is FALSE! You need both a FIPS-validated authenticator (such as an OTP application) and a FIPS-validated verifier (located in a server of the cloud service that you are accessing). However, there is a minor exception – low baseline systems do not require FIPS 140 validation compliance on authenticators. FIPS 140 validation is still required for the verifier.
Q: If I do not use OTP, can I use an out-of-band authenticator such as SMS or voice?
A: Per NIST SP 800-63B, out-of-band authenticators sent out over the Public Switched Telephone Network (PSTN) such as SMS and voice are allowed, but restricted. They can be used as long as the following conditions are met:
- The CSP also offers an alternative that is not restricted
- There must be a plan in place to move off the restricted authenticator immediately should the restricted status change to prohibited by NIST
Methods that do not prove possession of a specific device, such as voice-over-IP (VoIP) or email, should not be used for out-of-band authentication.
Q: If I use a FIPS-validated PIV for authentication, do I need a FIPS-validated verifier?
A: Nope! Verifiers are only required for OTP MFA (tokens).
Q:If several MFA solution choices (both FIPS-validated and non-FIPS validated) are provided for use by an underlying service vendor, may I select any MFA solution?
A: Nope! You are responsible for choosing an MFA solution that is FIPS-validated, regardless of what the vendor indicates may be used (see NIST Cryptographic Module Validation Program). If you need any help with understanding anything related to MFA solutions, you can get technical details from NIST SP 800-63B.
Q:How can a vendor meet the requirements of FIPS 140?
A: In order to meet the requirements of FIPS 140, a vendor must do one of two things:
1) Submit to the NIST Cryptographic Module Validation Program (CMVP) and get their own certificate
2) Self-attest that their product meets the following criteria: 10 Includes an existing CMVP validated Cryptographic Module (CM); 2) The CM is deployed according to the Security Policy that comes with it; 3) All cryptographic functions are performed inside the validated CM.
Cloud Service Providers
Q: Do I need to implement the Department of Homeland Security’s Binding Operational Directive (BOD-18-01) regarding Domain-based Message Authentication, Reporting, and Conformance (DMARC)?
A: Like all things with security, it depends. If your Cloud Service Offering (CSO) includes a service/function that sends email for or on behalf of the Government – regardless of the actual sender – it does apply, and you must implement the Directive requirements. Please note that this includes CSPs configuring their DMARC record to send automated aggregate reports to DHS. Aggregate reports should be sent to NCCIC at firstname.lastname@example.org.
However, if the CSP uses email to send notifications about internal CSO system events/issues (e.g., the system is down, announcing a system maintenance window, or maybe disk full) to the Government or CSP administrators, compliance with the Directive is not required, though would be considered a best practice.
Read more about this week’s FedRAMP’s Tip and cues here