Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online Forms
Use CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI Data
PartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel Partners
ResourcesResource CenterDevelopersCustomers
CompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact Us
Request Demo
Mouseover to personalize your Kiteworks website experience

FIPS

Implement FIPS-validated cryptographic modules ensuring federal-grade encryption standards for protecting sensitive government information in storage and transit.

How Kiteworks Supports FIPS

How Kiteworks Supports FIPS Compliance

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) for use in computer systems by non-military American government agencies and government contractors. FIPS 140-2 and its successor FIPS 140-3 are particularly critical, establishing security requirements for cryptographic modules used to protect sensitive but unclassified information. Kiteworks implements FIPS-validated cryptographic modules throughout its platform, ensuring that all encryption operations meet the highest federal standards.

FIPS 140-2/140-3 Overview

FIPS 140 defines four increasing levels of security for cryptographic modules:

Security LevelRequirementsKiteworks Implementation
Level 1Basic security requirements, production-grade equipmentBaseline module requirements exceeded
Level 2Physical tamper-evidence, role-based authenticationTamper-evident seals, role-based access
Level 3Physical tamper-resistance, identity-based authenticationEnhanced physical protections for hardware deployments
Level 4Complete physical security envelope, environmental protectionsAvailable for highest-security deployments

Cryptographic Module Validation

Kiteworks uses NIST-validated cryptographic modules that have undergone rigorous testing by accredited Cryptographic and Security Testing (CST) laboratories. This validation ensures:

  • All cryptographic algorithms are correctly implemented
  • Key management practices meet NIST requirements
  • The modules operate correctly in their approved modes
  • Self-testing capabilities verify module integrity at startup and during operation

FIPS-Validated Encryption Algorithms

Kiteworks implements the following NIST-approved algorithms:

  • AES-256: Advanced Encryption Standard with 256-bit keys for symmetric encryption of data at rest and in transit.
  • SHA-256/SHA-384/SHA-512: Secure Hash Algorithms for data integrity verification and digital signatures.
  • RSA (2048-bit and above): Asymmetric encryption for key exchange and digital signatures.
  • ECDSA: Elliptic Curve Digital Signature Algorithm for efficient digital signatures.
  • HMAC: Hash-based Message Authentication Code for message integrity and authentication.
  • DRBG: Deterministic Random Bit Generator for cryptographically secure random number generation.

Key Management Practices

Proper key management is essential for cryptographic security. Kiteworks implements comprehensive key management including:

  • Key Generation: All encryption keys are generated using FIPS-approved random number generators within validated cryptographic modules.
  • Key Storage: Encryption keys are stored in protected key stores with access controls limiting key usage to authorized operations.
  • Key Rotation: Automated key rotation policies ensure encryption keys are regularly refreshed according to organizational and regulatory requirements.
  • Key Destruction: When keys are no longer needed, they are securely destroyed using approved zeroization methods.
  • Customer-Managed Keys: Organizations can maintain full control over their encryption keys, ensuring that even Kiteworks cannot access encrypted data.

Random Number Generation

Cryptographic security depends on high-quality random number generation. Kiteworks uses:

  • NIST SP 800-90A compliant Deterministic Random Bit Generators (DRBGs)
  • Hardware entropy sources where available for seeding random number generators
  • Continuous random number generator testing to ensure output quality
  • Separation of random number generation for different security domains

Physical Security of Cryptographic Modules

For on-premises deployments, Kiteworks supports physical security measures for cryptographic modules:

  • Tamper-evident packaging and seals
  • Environmental failure protection mechanisms
  • Physical access controls for cryptographic hardware
  • Zeroization capabilities for emergency key destruction

Operational Environment Requirements

FIPS 140 specifies requirements for the operating environment in which cryptographic modules execute. Kiteworks addresses these through:

  • Hardened operating system configurations that limit the attack surface
  • Process isolation ensuring cryptographic operations are protected from other system processes
  • Memory protection preventing unauthorized access to cryptographic keys in memory
  • Secure boot processes that verify system integrity before cryptographic module initialization

Self-Testing Capabilities

FIPS-validated modules must perform self-testing to verify correct operation. Kiteworks' cryptographic modules include:

  • Power-Up Self-Tests: Verify cryptographic algorithm correctness and module integrity at startup.
  • Conditional Self-Tests: Test cryptographic operations when specific conditions are met (key generation, random number generation).
  • Continuous Testing: Ongoing verification of random number generator output quality.
  • Error State Handling: Automatic entry into an error state if self-tests fail, preventing use of potentially compromised cryptographic operations.

FIPS Mode of Operation

Kiteworks can be configured to operate in strict FIPS mode, which ensures:

  • Only FIPS-approved algorithms are used for all cryptographic operations
  • Non-approved algorithms are disabled and cannot be enabled
  • All TLS connections use only FIPS-approved cipher suites
  • Key lengths meet or exceed FIPS minimum requirements

TLS 1.2/1.3 FIPS-Compliant Implementations

Kiteworks implements FIPS-compliant TLS connections using:

  • TLS 1.2 and 1.3 with FIPS-approved cipher suites only
  • Perfect Forward Secrecy (PFS) using ECDHE key exchange
  • Certificate validation using FIPS-approved signature algorithms
  • Session management with secure renegotiation and resumption

Certificate-Based Authentication

Kiteworks supports certificate-based authentication using FIPS-validated cryptographic operations:

  • X.509 certificate validation with FIPS-approved algorithms
  • Integration with Public Key Infrastructure (PKI) using government-issued certificates
  • Certificate revocation checking via CRL and OCSP
  • Support for Common Access Card (CAC) and Personal Identity Verification (PIV) certificates

By implementing FIPS-validated cryptographic modules throughout its platform, Kiteworks ensures that federal agencies, defense contractors, and other regulated organizations can trust that their data is protected by cryptographic operations that meet the highest government standards.