Reading Time: 3 minutes

The National Institute of Standards and Technology (NIST) takes digital and data security very seriously. They set the standard for security in products eligible for use by the U.S. and Canadian governments and that’s why we’re incredibly proud to announce that CloudFS, the core of our hybrid cloud file platform, has achieved FIPS 140-3 certification. 

This process has taken almost two years of rigorous testing and now, Panzura CloudFS joins other enterprise NAS storage systems such as NetApp and Dell to achieve this level of security for our customers. CloudFS is currently the only hybrid cloud file storage solution to have achieved FIPS 140-3 certification for its core data encryption and key management processes.

NIST FIPS 140-3 is a federal information processing standard that sets forth security requirements for cryptographic modules used within embedded security systems. Opting for a hybrid cloud file platform with a FIPS 140-3 certified cryptographic module provides assurance of 3rd party tested security, compliance, risk management, interoperability, and public trust. 

This certification allows Panzura customers to demonstrate their own commitment to data security as well as supporting their compliance with CMMC levels 2 and 3 and HIPAA regulations.

FIPS 140-3 was established by NIST and is the successor to FIPS 140-2. This processing standard is now based on ISO/IEC 19790, an internationally accepted security certification, so FIPS 140-3 certification effectively proves CloudFS’s cryptography internationally. You can read more information about this standardization here.

Key aspects of FIPS 140-3 include:

1. Security Levels: The standard defines four levels of security with progressively more rigorous requirements, with level 1 being the least stringent and level 4 being the most stringent. The.

2. Cryptographic Module Compliance: To achieve compliance with FIPS 140-3, a cryptographic module must undergo testing by an accredited laboratory and meet the defined security requirements.

3. Performance and Flexibility: FIPS 140-3 introduces a performance-oriented approach and acknowledges the need to address various modern technologies and implementations. There is usually a trade-off between performance and security, however Panzura CloudFS overcomes these limitations through its unique hybrid cloud architecture, performing like a local storage array while working with storage that may be a substantial distance away. 

4. Transition from FIPS 140-2: While FIPS 140-2 is still recognized, organizations are encouraged to transition to FIPS 140-3 since it incorporates updated security measures and best practices.

5. Documentation and Automation: The new standard includes requirements for better documentation of the cryptographic module’s design and operational practices, enabling more automated testing and validation processes.

FIPS 140-3 certification ensures that an organization’s storage infrastructure meets high standards for cryptographic security, which is important for protecting sensitive information against cyber threats, fulfilling regulatory requirements, and may also help to lower your cyber insurance costs.

CMMC (Cybersecurity Maturity Model Certification) Level 2 and Level 3 certification require the use of FIPS 140-3 certified solutions. This certification is particularly important for organizations that are part of the U.S. Department of Defense (DoD) supply chain. 

  • Defense Contractors: Organizations that contract directly with the DoD, including prime contractors and subcontractors, need to meet CMMC requirements to ensure the security of Controlled Unclassified Information (CUI) and other sensitive data.
  • Suppliers and Manufacturers: Companies that provide goods or services to the DoD, including those in manufacturing, engineering, and logistics sectors, must achieve the appropriate CMMC level to maintain their business relationships.
  • Service Providers: Organizations offering IT services, cybersecurity solutions, or cloud services to defense contractors may also be required to comply with CMMC to handle CUI securely.
  • Research and Development Firms: Companies involved in defense-related research and technology development may need CMMC Level 2 or Level 3 certification to protect sensitive information.
  • Support Services: Organizations providing various support services, such as consulting, training, or maintenance for defense programs, are also subject to CMMC requirements if they handle controlled unclassified information (CUI).
  • Startups and Small Businesses: Smaller companies entering the defense market are increasingly expected to achieve CMMC certification to compete for contracts.
  • Architecture, Engineering & Construction: Panzura has been wildly successful in the AEC space, and our customers know that if they are doing any business with the DoD or other government agencies that require a CMMC Level 2 or Level 3 certification, Panzura CloudFS not only meets the stringent requirements of FIPS 140-3, but also enables global collaboration with immediate data delivery.

FIPS 140-3 can also contribute toward HIPAA compliance:

  • Encryption: HIPAA requires strong encryption of protected health information (PHI), both at rest and in transit. FIPS 140-3 certified cryptographic modules provide the necessary security features to meet these requirements.   
  • Key Management: FIPS 140-3 addresses key generation, storage, and distribution, ensuring the security of cryptographic keys used to encrypt and decrypt PHI.   
  • Random Number Generation: Strong random number generation is essential for cryptographic algorithms. FIPS 140-3 specifies requirements for random number generators to prevent predictability and enhance security.   
  • Self-Tests: FIPS 140-3 mandates regular self-tests to verify the correct operation of cryptographic modules, helping to maintain security and identify potential vulnerabilities.   
  • Physical Security: FIPS 140-3 includes physical security requirements to protect cryptographic modules from unauthorized access and tampering.   

By using solutions such as Panzura’s CloudFS with FIPS 140-3 certified cryptographic modules, healthcare organizations can demonstrate a high level of security commitment and enhance their compliance with HIPAA regulations. Equally, organizations across all industries — including government contractors and suppliers — can confidently select CloudFS on the basis of its security qualifications.

Panzura’s NIST FIPS 140-3 certification can be found here.