Utimaco HSMs as Root of Trust for Government Regulatory Compliance
Our communities, economy and national security relies on our government’s ability to keep confidential information out of the hands of nefarious parties. As government agencies continue to move sensitive data to digital storage and cloud computing, the regulatory landscape is expanding and open to more vulnerabilities. FISMA, FedRAMP, and FICAM are some of the compliance mandates and frameworks that government agencies must follow in order to ensure the security of their sensitive information and to effectively fend against cyber attacks and insider threats.
Utimaco’s general purpose hardware security modules (HSMs) provide secure storage and processing of sensitive cryptographic data, creating a secure root of trust for an agency’s public key infrastructure (PKI) systems. These appliances serve a multitude of regulatory agencies and affiliated vendors and accredited at FIPS 140-2 Level 3 or Level 4 (physical) and are certified against Common Criteria.
Utimaco’s Enterprise Secure Key Manager (ESKM) provides a FIPS 140-2 Level 2 certified key management solution. The EKSM creates, protects, serves, and audits access to encryption keys on tamper-resistant hardware. Both Utimaco HSMs and ESKMs support classical and post-quantum cryptographic algorithms and are fully compliant with FISMA, FedRAMP and FICAM.
Compliance Requirements for Government Agencies
Federal Information System Management Act (FISMA)
FISMA was passed by Congress in 2002 and amended in 2014 as part of an effort to ensure protection of sensitive information by the US government. FISMA compliance applies to all US government agencies as well as organizations in the private sector doing business with the US government.
The security controls that government agencies and contractors should apply for FISMA compliance are outlined in a set of NIST publications, including:
- NIST SP 800-53
- NIST SP 800-171
- FIPS 199
- FIPS 200
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is designed to ensure that government data and applications placed in the cloud are appropriately secured. The FedRAMP requirements are based upon the NIST 800-53 security controls, which include families such as:
- Access Control
- Audit and Accountability
- Contingency Planning
- Identification and Authentication
- Systems and Communication Protection
Federal Identity, Credential, and Access Management (FICAM)
FICAM is an effort by the US government to standardize the use of identity, credential, and access management solutions across all government agencies. The first goal of FICAM is to strengthen the federal government’s information and physical security, which includes objectives focused on building a secure, usable system for authenticating users to government systems and resources.
Achieving Compliance with Utimaco Solutions
Protecting access to sensitive government data requires the ability to securely and accurately identify and authenticate users before granting access to systems or resources. Utimaco CryptoServer HSMs and ESKMs fulfill the following requirements for agencies to be compliant.
- Create user authentication tokens: User authentication tokens are built around a secret value that must be secured in order to be effective. Ensuring that a malicious user cannot build fake but valid authentication tokens requires protecting the underlying secret. CryptoServer enables secure storage of cryptographic secrets and includes a number of built-in cryptographic algorithms, enabling secure generation of authentication tokens within tamper-resistant hardware.
- Manage user certificates: Public key infrastructure (PKI) is based upon a hierarchy of user keys and certificates, where certificate authorities (CAs) higher in the hierarchy can create valid certificates for those below them. Since these certificates can be used to authenticate users, protection of the private keys used to create them is essential. CryptoServer can store the private keys of CAs and perform certificate creation and signing in a secure environment, protecting these keys from being compromised.
- Implement access controls: Protecting access to sensitive data and functionality requires the ability to securely authenticate users and validate their authorization to access protected resources. CryptoServer enable authentication of users through password-based systems, built-in multi-factor authentication (MFA), and integrations with numerous PKI management systems.
- Store database encryption keys: Database encryption helps to ensure that an attacker with access to an organization’s systems cannot access sensitive data stored on those systems. However, this encrypted data is only as secure as the encryption keys used to protect it. Utimaco Enterprise Secure Key Manager (ESKM) can securely store database encryption keys and perform data decryption within a protected environment, ensuring that secret keys never leave an organization’s control.
Utimaco’s Cryptoserver HSMs and ESKMs provide secure storage and processing of sensitive cryptographic data, creating a secure root of trust for an agency’s public key infrastructure (PKI) systems. This provides a strong foundation for government agencies and contractors to build solutions for FISMA, FedRAMP, and FICAM compliance.
