Monitor the Risk
      Back to home
      1. Knowledge Base
      2. Monitor the Risk

      Enabling FIPS 140 Compliance in Actifile

      In this guide, you’ll learn what FIPS 140 is, how Actifile helps enforce FIPS compliance, and the steps to enable and audit FIPS mode for your data security needs.

      For organizations that need to meet strict security standards, Actifile can be configured to use Microsoft’s FIPS 140 validated cryptographic modules. This ensures compliance with government and industry regulations requiring validated encryption methods, such as Controlled Unclassified Information (CUI) requirements or Cybersecurity Maturity Model Certification (CMMC) audits.

      What is FIPS 140?

      The Federal Information Processing Standard (FIPS) 140 is a U.S. government security standard that defines the minimum security requirements for cryptographic modules in IT products. It is maintained by the National Institute of Standards and Technology (NIST) in collaboration with the Canadian Centre for Cyber Security (CCCS).

      Microsoft validates its cryptographic modules under this standard, making Windows 10, Windows Server, and Microsoft cloud services FIPS-compliant when configured correctly. Actifile leverages these Microsoft cryptographic modules to help organizations enforce and audit FIPS 140 compliance.

      Why Enable FIPS 140 in Actifile?

      Actifile enables organizations to:

      • Set up FIPS-compliant encryption for specific data types (e.g., CUI).
      • Discover which devices need FIPS encryption based on the discovered data.
      • Enforce FIPS encryption policies at the operating system level.
      • Audit compliance status to provide evidence for security assessments.

      Important: Enabling FIPS mode can cause compatibility issues with some applications. For example, QuickBooks and ConnectWise email forwarders do not support FIPS encryption. If a system becomes incompatible, you may need to disable FIPS mode on the device or move the application to a non-FIPS device.

      How to Enable and Audit FIPS 140 Compliance in Actifile

      Step 1. Configure Classifiers for FIPS Encryption

      Actifile allows administrators to specify which classifiers require FIPS-compliant encryption.

      1. Navigate to Deployment > Classifiers > Active Classifiers.

      2. Select the relevant classifier (e.g., CUI) and click its name to open the settings.

      3. Check the Requires FIPS Compliance box and save the settings.

       

      Step 2: Enable FIPS Mode and Perform Initial Scan

      1. Click the gear icon in the top-right corner and navigate to Settings > Customer Settings.


      2. Enable Show FIPS Status and save the changes.

      3. Go to the Deployment tab and locate the FIPS Status tool. If it does not appear, refresh the page.

      The FIPS Status tool will display:

      • Whether data requiring FIPS was detected on scanned devices.
      • Whether FIPS mode is currently enabled on the device.

      Note: A device meets FIPS compliance if:

      1. It does not contain data requiring FIPS, regardless of FIPS settings.
      2. It contains data requiring FIPS, and FIPS Group Policy is enabled.

      Additionally, Actifile displays the version of cryptographic modules in use.

      Note: It is the administrator’s responsibility to verify that the cryptographic module version complies with the data encryption requirements. For details on validated module versions, refer to the Microsoft official documentation.

       

      Step 3. Configure FIPS Group Policy

      Windows 10 and Windows Server can be configured to operate in a FIPS 140-2 approved mode, commonly known as “FIPS mode.” When FIPS mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) perform self-tests before executing cryptographic operations. These tests, conducted according to FIPS 140 Section 4.9, ensure the proper functioning of the modules.

      • The FIPS Group Policy can be set on a per-device basis and should ideally be applied only to machines handling FIPS-relevant data. In the example below, FIPS mode is disabled on the second device to minimize the risk of software incompatibility.

      • The FIPS Group Policy checkbox in Actifile enables the corresponding Windows Local Security Policy:
        System Cryptography: Use FIPS-compliant algorithms for encryption.

      FIPS-5

      • The FIPS Group Policy column displays the current setting but does not necessarily reflect the actual device configuration. Therefore, it should not be used as compliance evidence.
      • Instead, use the FIPS Status column, which serves as an audit log relayed from the device. If it shows Set, the device is correctly configured with the policy, making it valid for compliance verification.

      For more details on Windows Security and FIPS validation, refer to:
      Federal Information Processing Standard (FIPS) 140 Validation – Windows Security | Microsoft Docs