Recently, the National Library Service for the Blind and Print Disabled (NLS) has announced that all data in PIMMS and the new digital patron enrollment process must meet FIPS 140-3 security standards. Therefore, all Libraries for the Blind and Print Disabled will need to make plans to become FIPS compliant.
For Keystone-hosted LBPD customers, Keystone support will make sure you meet this requirement.
For LBPD libraries with self-hosted databases, your library administration and IT will need to make plans for how to become compliant or consider moving your database to Keystone Hosting Services.
Other state agencies such as Instructional Resource / Material Centers, school libraries, and other organizations may also need to meet FIPS compliance depending on your IT department or funding agency’s requirements.
Below is a brief overview of FIPS 140-3 compliance and the requirements involved.
What is FIPS
In 2019, the National Institute of Standards and Technology (NIST) established the FIPS 140 guidelines for cryptographic modules for hardware and software used by federal departments and agencies. In October 2020, FIPS 140-2 and 140-3 became the current standards.
So, what does FIPS 140-3 compliance mean? It means your organization takes data and system security seriously and meets certain criteria that help safeguard it by as well as abiding by a set of rules when designing and testing encryption technologies to protect sensitive information. In short, running a database / system in a FIPS compliant environment means your organization meets the federal standard to keep information safe from unauthorized access and cyber threats.
Examples of IT measures which help make a system FIPS compliant:
- Strong encryption methods
- Secure methods of storing and transmitting information
- Following best practices for software and hardware security
Additionally, a company / product which is FIPS compliant clearly demonstrates their commitment to data security and ability to meet certain criteria to safeguard it, making it more trustworthy for government agencies and others requiring a high security system for their information.
What does this mean for KLAS and FIPS compliance?
FIPS compliance strengthens our already robust security controls and is a benefit for all of our customers. For libraries who have Keystone manage and maintain your KLAS application, our systems administrators are working diligently toward having all Keystone hosted servers and databases upgraded to FIPS 104-3 compliance by Fall of 2026.
Meanwhile, libraries who run KLAS in a self-hosted environment will need to make plans to become FIPS compliant or move to a FIPS compliant hosting platform such as Keystone’s.
FIPS and Self-Hosted Systems
Those customers whose local IT supports their KLAS database / server will need to independently make plans for how to meet this federal compliance requirement.
Achieving FIPS 140-3 compliance involves:
- Use FIPS-Validated Hardware
- You must rely on hardware or firmware cryptographic modules that have been certified by the Cryptographic Module Validation Program (CMVP).
- Ensure switches, firewalls, and hardware security modules (HSMs) are on the CMVP validated list. Many major enterprise server vendors (e.g., Dell, HPE) offer specific server configurations with physically hardened, tamper-evident components.
- Configure the Operating System & Software
- Even with compliant hardware, the software layer must be correctly configured to only allow FIPS-approved algorithms (e.g., AES, RSA, ECC).
- Linux: Enable FIPS mode in the kernel. For example, on RHEL or Rocky Linux, install the dracut-fips package and append fips=1 to the boot kernel parameters.
- Windows: Open the Local Security Policy and enable the setting: System cryptography:
- Use FIPS compliant algorithms for encryption, hashing, and signing.
- Libraries: Use validated cryptographic libraries like OpenSSL (FIPS provider) or WolfSSL in your applications.
- Enforce Strict Operational Controls
- FIPS 140-3 mandates strict controls on access and key management.
- Disable Unsecure Protocols:
- Turn off protocols that rely on outdated or unvalidated algorithms, such as SNMPv2c, older TLS versions (disable TLS 1.0/1.1), and MD5-based Syslog.
- Identity & Access Management:
- Implement multi-factor authentication (MFA) and enforce role-based access control (RBAC).
- Self-Tests: Ensure the cryptographic modules are configured to perform Power-On Self-Tests (POST) and Conditional Self-Tests upon startup and execution.
- Maintain Physical Security
- If you are aiming for FIPS 140-3 Level 3 or higher, the physical server rack itself requires strict physical tamper-resistance requirements.
- Mount servers in lockable, physically secure cabinets.
- Deploy tamper-evident seals and intrusion detection systems on the physical chassis.
For self-hosted customers who may be interested in moving to Keystone Support Services to ensure FIPS compliance, we are now offering a discount in exchange for a 2-year initial hosting agreement to make it more feasible / affordable for you to move to Keystone Hosting. Please let us know if you have any questions, or wish to explore the cost of moving your database to a FIPS 140-3 compliant Keystone supported operational environment.
