cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2320
Views
0
Helpful
2
Replies

FIPS Compliant?

Jason Meyer
Beginner
Beginner

We currently use IronPort Encyption appliances for encrypting outbound e-mails. 

Our customers are asking if these devices are FIPS compliant?  They are reading this somewhere:

AsyncOS for Email 7.3 provides support for the Cisco IronPort Email Security appliance with a FIPS-compliant Hardware Security Module (HSM) card.

The Federal Information Processing Standard (FIPS) 140 is a publicly announced standard developed jointly by the United States and Canadian federal governments specifying requirements for cryptographic modules that are used by all government agencies to protect sensitive but unclassified information. The HSM offered with the Cisco IronPort C670 Email Security appliance is the CAVIUM Nitrox XL CN15xx-NFBE Cryptographic Module, which complies with the FIPS 140-2 Level 2 standard. This standard specifies additional protections for information used in cryptographic operations, including the use of a tamper-resistant hardware keystore for private keys.

The HSM card provides cryptographic processing for the appliance as well as storage for private keys. All cryptographic operations take place within the secure environment of the HSM card.

When the Email Security appliance includes the HSM card and uses AsyncOS 7.3, it offloads all cryptographic operations to the HSM card in a FIPS-compliant manner. AsyncOS for Email 7.3 also provides a FIPS management console to allow a FIPS Officer to configure the HSM card to manage certificates and private keys.”

Are the IEA appliances FIPS compliant?

Jason Meyer

1 Accepted Solution

Accepted Solutions

Christopher Smith
Enthusiast
Enthusiast

Hi Jason,

I believe you have a SR open with us reference this issue. My apologies we did not get to follow up before the end of the day. The information your referencing is correct however this applies to the ESA Email Security Appliance. The ESA runing  AsyncOS 7.3 and above Provides support for FIPS. The IEA IronPort Encryption Appliance is not FIPS compliment. While the ESA runs IronPorts Proprietary AsyncOS, the IEA is based on Linux. These two platforms are entirely different from the ground up. Currently there are no plans to make the IEA FIPS complient.

Christopher C Smith

CSE CSCM

Cisco IronPort Customer Support

View solution in original post

2 Replies 2

Christopher Smith
Enthusiast
Enthusiast

Hi Jason,

I believe you have a SR open with us reference this issue. My apologies we did not get to follow up before the end of the day. The information your referencing is correct however this applies to the ESA Email Security Appliance. The ESA runing  AsyncOS 7.3 and above Provides support for FIPS. The IEA IronPort Encryption Appliance is not FIPS compliment. While the ESA runs IronPorts Proprietary AsyncOS, the IEA is based on Linux. These two platforms are entirely different from the ground up. Currently there are no plans to make the IEA FIPS complient.

Christopher C Smith

CSE CSCM

Cisco IronPort Customer Support

I don't have a SR open on this.  Just wanted to get a response from CISCO on this.   Thanks Chris.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers