Using Arcsight Platform and Products in FIPS Mode

The Federal Information Processing Standard (FIPS) comprises a set of rules and regulations defined by the United States government that specify the security requirements for data processing and communication between the components.

For a more thorough understanding of FIPS, official FIPS documentation (FIPS PUBS) is available online.

Understanding FIPS 140 Security Requirements

FIPS 140 is one of the standards of FIPS that governs the use of encryption and cryptographic services. FIPS 140 defines security rules and regulations for cryptographic modules to keep sensitive information secure.

According to the Federal Information Security Management Act (FISMA), all the United States government agencies, United States government contractors, and third parties working for the federal agencies must adhere to the FIPS 140 standard.

For testing cryptographic modules, the two revised editions of FIPS 140 are given below:

FIPS Publication

Standard

FIPS 140-2

Includes changes in technology and standards defined by other standards bodies.

Includes modifications based on comments from vendors, laboratories, and user communities.

FIPS 140-3

Aligns with standards defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

Enabling FIPS Mode for ArcSight Platform Components

Most components in the ArcSight Platform architecture can operate in the FIPS 140 mode: this includes all of the components that directly handle event data from edge ingestion, to storage in the database, to retrieval from the database supports FIPS 140 Mode. FIPS 140 mode is active by default for some components and cannot be disabled. ArcSight Platform establishes a secure communication between its components using FIPS-validated cryptographic modules.

The table below describes the component level FIPS 140 support:

Component

Sub-components that support FIPS mode

 Enabling FIPS mode
ArcSight Management Center (ArcMC) fusion-arcmc-web-app

  • Always enabled
Database All
Enterprise Security Manager (ESM) All
Fusion

All

  • Always enabled
Intelligence

All

  • Always enabled
Layered Analytics All

  • Always enabled
Recon All

  • Always enabled
SmartConnectors All
SOAR

soar-web-app

soar-message-broker

soar-jms-migration

For the sub-components listed that support FIPS mode, FIPS mode is always enabled.
Transformation Hub

th-kafka

th-kafka-manager

th-schemaregistry

th-routing-processor

th-c2av-processor

th-web-service

th-cth

th-c2av-processor-esm

th-enrichment-processor

  • For the sub-components listed that support FIPS mode, FIPS mode can be enabled during deployment.
  • When using the ArcSight Platform Installer tool, add the property th-init-fips: true to the suite > config-params section of your installation configuration yaml file.

    For example:

    suite:
      products: [fusion, esm, soar, transformationhub]
      config-params:
    th-init-fips: true
  • When performing the installation manually, configure the Transformation Hub > Connections use FIPS encryption option as described in the Configuring the Deployed Capabilities section.
Components that can not operate in the FIPS 140 mode use strong industry standard encryption to establish secure communication. However, our objective is to increase the coverage of components that can operate in the FIPS 140 mode.

For more information about each of the pods listed above, see Understanding Labels and Pods.

For information on creating a RedHat operating system with FIPS enabled, see "10.2 Federal Information Processing Standard (FIPS)" on the RedHat Customer Portal. Note: This link opens an external site.