FIPS mode

FIPS (Federal Information Processing Standards) is a set of standards developed by the United States Federal Government for use in computer systems. FIPS 140-2 is the subset of standards which defines approved encryption algorithms used for handling sensitive information.

If your Secure Email Gateway has been pre-configured to operate in FIPS mode, the cryptographic modules used by the Gateway are compliant with FIPS-140-2.

Features and options you will not be able to use in FIPS mode

In FIPS mode, you will not be able to:

• Use TLS 1.0 and 1.1
• Use PGP encryption or decryption
• Set PGP endpoint defaults
• Import or extract PGP keys
• Apply password encryption
• View PGP or Password encryption statistics

Enable and disable FIPS mode

FIPS mode is selected during the installation. You cannot enable or disable it without reinstalling Secure Email Gateway.

Check if your Secure Email Gateway is operating in FIPS mode

1. Navigate to System > Monitoring & Control > Logs & Alarms.

2. Select the System Logs tab.

   If the FIPS Audit log is enabled, the Gateway is operating in FIPS mode.

   If the FIPS Audit log is not enabled, the Gateway is not operating in FIPS mode.

Alternatively:

1. Navigate to System > Encryption > Encryption/Decryption Defaults.

2. If the Gateway is operating in FIPS mode, the following warning is displayed:

   While using Secure Email Gateway in FIPS mode, you will not be able to use PGP or Password as Encryption/Decryption options.

Tell me about...

• FIPS-140-2 and Secure Email Gateway

  Many organizations handle sensitive information on a regular basis. Government departments, financial institutions and other high security industries require a recognized level of security when exchanging information. FIPS-140-2 provides approved standards for message encryption and data handling, and is a key requirement for an increasing number of organizations. In FIPS mode, Secure Email Gateway is compliant with this requirement.

  FIPS mode provides confidence that the Gateway is handling sensitive and unclassified information to the FIPS 140-2 standard required by US Federal Government.

• FIPS and the Peer Gateways

  FIPS-enabled Secure Email Gateway can be peered with other FIPS enabled Gateways. However, FIPS compliance can not be extended to the Peer Gateways which are not FIPS enabled.

  You can add a FIPS-enabled Gateway as a peer to Secure Email Gateway. All subsequent peers must be FIPS enabled. Mixed compliance is not permitted for the Peer Gateways.

• Back up and restore FIPS configurations

  You can only restore FIPS configurations to a FIPS-enabled Secure Email Gateway. This ensures FIPS compliance is maintained consistently on your Gateway or across your peers.

  You cannot restore a non-FIPS configuration to a FIPS-enabled Secure Email Gateway. You cannot restore a FIPS configuration to a non-FIPS-enabled Secure Email Gateway.

• Gateway services which operate in FIPS mode

  The following services use FIPS-approved cryptography:

  • SMTP mail services
  • SpamLogic
  • Policy Enforcement
  • Encryption

• FIPS mode and S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure email messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES. signatures

  If Secure Email Gateway is FIPS enabled, weaker S/MIME signatures (for example, signatures from a non-FIPS-enabled Gateway) will be identified as "Unknown".

See also...

• Areas of non-compliance with FIPS