FIPS 140-2 Standards Compliance

Overview

FIPS 140-2 standards are supported for SAS/SECURE and Transport Layer Security (TLS) encryption technologies. FIPS 140-2 is not a technology, but a definition of what security mechanisms should do. FIPS 140-2 is the current version of the Federal Information Processing Standardization 140 (FIPS 140) publication. FIPS 140-2 is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use.
The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. FIPS 140-2 requires organizations that do business with a government agency or department that requires the exchange of sensitive information, to ensure that they meet the FIPS 140-2 security standards. In addition, the financial community increasingly specifies FIPS 140-2 as a procurement requirement.
The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Federal agencies and departments can validate that the module in use is covered by an existing FIPS 140-1 or FIPS 140-2 certificate. The certificate specifies the exact module name, hardware, software, firmware, and applet version numbers. For more information, see FIPS PUB 140-2 SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES.
There are four levels of security: from Level 1 (lowest) to Level 4 (highest). The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference or electromagnetic compatibility (EMI/EMC), and self-testing.

How SAS Implements FIPS

The ENCRYPTFIPS option is provided by SAS primarily as a mechanism to help ensure that your SAS system is configured to leverage the encryption algorithms and cipher suites specified by the FIPS 140-2 standard and that libraries will be validated for compliance when loaded. With this option enabled, SAS verifies that all of your SAS servers have been configured to use the FIPS approved Advanced Encryption Standard (AES) libraries or the TLS protocol. ENCRYPTFIPS makes sure IOM uses AES and that SAS/CONNECT uses AES or SSL.
However, turning off the SAS system option ENCRYPTFIPS does not impact the ability of SAS to use FIPS approved encryption algorithms available with SAS/SECURE, such as the Advanced Encryption Standard (AES), nor does it prevent SAS from leveraging strong FIPS approved cipher suites when acting as a TLS client.
If the ENCRYPTFIPS option is turned on, then SAS server-based TLS clients will attempt to load a special subset of OpenSSL libraries, contained as part of the OpenSSL FIPS Object Module. These libraries are not present by default and would need to be downloaded and compiled in accordance with the specific instructions specified by the FIPS standard. Therefore, turning on this option is not generally recommended, unless absolutely required by a customer’s policy. See TLS on UNIX: Building FIPS 140-2 Capable OpenSSL for additional information.
Standard OpenSSL libraries are capable of providing strong AES level encryption. However, only the FIPS OpenSSL Object Module libraries meet the FIPS standard. If the ENCRYPTFIPS option is enabled and the libraries are not present, then the SAS system produces an error when a SAS server needs to act as a TLS client and communicate over HTTPS protocol.
Note: When the ENCRYPTFIPS option is turned on, SAS Internal Passwords are stored using the SHA-256 hashing algorithm.