Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3780
Views
0
Helpful
2
Replies

ASA 5500 series, FIPS Compliance

dheinen
Level 1
Level 1

‎03-24-2011 03:48 PM

I see that there is a part number for a "FIPS Kit".

It looks like it’s just a package of stickers…

Or is there more to it than that ?

Is this FIPS Kit “Recommended” or “Required”  for FIPS Compliance ?

The published Security Policy for the ASA  5500 series:

http://www.cisco.com/en/US/docs/security/asa/asa70/hw/fips_asa.pdf

Page 16  says: 

All Critical Security Parameters are stored and protected within each appliance’s tamper evident

enclosure. The administrator is responsible for properly placing all tamper evident labels. The security

labels recommended for FIPS 140-2 compliance are provided in the FIPS Kit

(CVPNPIXASAFIPS/KIT). These security labels are very fragile and cannot be removed without clear

signs of damage to the labels.

Is this “FIPS Kit” actually necessary ?

The ASA will be located in a secure facility, which meets our physical security legal requirements.

Thanks !

Dean

Labels:
0 Helpful
2 Replies 2

Michael Schueler
Cisco Employee
Cisco Employee

‎03-28-2011 05:09 AM

Hello Dean,

The CVPNPIXASAFIPS/KIT (which is identical to the more generic CISCO-FIPS-KIT=) indeed contains mainly tamper-proof labels plus a document pointing to a Cisco web page, that organizes all of the device validations.

To achieve full FIPS 140-2 compliance such labels are required. We say, that we recommend these labels, as other labels with similar characteristics might also be available to achieve this. Please note, though, that those labels would need to be FIPS approved for this specific case, so you cannot pick any label. I'm not aware of any other labels, that are FIPS approved for the ASA 5500 series.

In addition to these labels, you also need to install specific, FIPS 140-2 approved, versions of ASA code. Which releases you can use for FIPS compliance is documented here:

http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html

Further information regarding FIPS for VPN Routers and Security Appliances can be found here:

http://www.cisco.com/en/US/partner/docs/security/vpn_modules/fips/non-opacity_shield_cover_letter/fpsflr_4.html

So, if your security policy requires FIPS compliance, you need both the labels (i.e. the FIPS kit) and the FIPS approved software on the ASA.

If your security policy does not specifically ask for FIPS compliance and the facility you have already meets your physical legal security requirements, you probably do not need the FIPS kit. However, this purely depends on what exactly your security policy asks for.

Regards,

Michael

0 Helpful

dheinen
Level 1
Level 1
In response to Michael Schueler

‎03-28-2011 07:26 AM

Michael,

Thank you for the concise info!

The security policy for this application does require FIPS 140-2 compliance. So I will add the FIPS kit to the purchase order, and make sure a correct version is loaded.

Dean

0 Helpful
Customers Also Viewed These Support Documents