RPOST AND NIST FIPS 140-2 ENCRYPTION

Federal Information Processing Standards 140-2 Encryption
Cryptographic Module Validation Program
Computer Security Resource Center
National Institute of Standards and Technology (NIST)
U.S. Department of Commerce

AND

Federal Information Processing Standards 140-2 Encryption
Canadian Centre for Cyber Security
Canadian FIPS 140-2 Cryptographic Module Validation Authority
Government of Canada

RPost´s main responsibilities as a data processor are to provide for the confidentiality, integrity, availability, and resilience of systems and services that process sensitive business, government, and personal (“Protected”) data.

This document outlines the technical and organizational measures that RPost has implemented to comply with legal and contractual security obligations while processing Protected data. These measures apply to all data processing activities that are within the control of RPost.

1. RPost systems are built to protect Protected data and to secure transfer of Protected data.
2. Data in transit that is designated to be sent securely is protected using RSA-AES256, PDF-AES256 or TLS encryption. All system stored data is encrypted at rest. The storage volumes are encrypted at block level using AES-256 in a manner consistent with NIST 800-57 and with FIPS 140-2 approved algorithms.
3. Two-factor authentication is required for elevated and privileged access to all critical systems and environments. Access is only granted to authorized people using VPN connections.
4. Mechanisms for securing data transfer, for monitoring and for logging activities in networks have been established to the required extent.
5. Systems are protected from malicious and vulnerable sites. Network and systems follow CIS hardening benchmarks, only certain systems have access to internet while the rest of the systems can only access internal systems. Firewalls and intrusion detection and prevention systems (IDS / IPS) are in place.
6. To minimize the risk of data breaches, paper printouts and exports of confidential data are avoided whenever possible.
7. Electronic data exports that are no longer required are deleted from the respective storage locations.

The National Institute of Standards and Technology (NIST), as the United States FIPS 140-2 Cryptographic Module Validation Authority; and the Canadian Centre for Cyber Security (CCCS), as the Canadian FIPS 140-2 Cryptographic Module Validation Authority; have validated the FIPS 140-2 testing results of the cryptographic modules listed below in accordance with the Derived Test Requirements for FIPS 140-2, Security Requirements for Cryptographic Modules. FIPS 140-2 specifies the security requirements that are to be satisfied by a cryptographic module utilized within a security system protecting Sensitive Information (United States) or Protected Information (Canada) within computer and telecommunications systems (including voice systems).

RPost services use cryptographic modules maintained by third parties publish validated certification with NIST and CCCS Federal Information Processing Standards 140-2 Encryption.

More specifically,

1. RPost’s message-level encryption within its RMail^®, Registered Email™, and RDocs™ services use in components RSA-AES-256-bit encryption generated by a component of the RMail^® and Registered Email™ processing servers, that component being Software Module: Cryptographic Primitives Library (Microsoft) with CMVP Certificate #4356.
2. RPost’s message-level encryption within its RMail^®, Registered Email™ and RDocs™ services additionally use PDF-AES-256-bit encryption generated by a component of the RMail^® and Registered Email™ processing servers, that component being Software Module: BC-FNA (Bouncy Castle FIPS .NET API) with CMVP Certificate #4416.
3. RPost internal processing system stored data within all RPost services is encrypted at rest using RPost managed and frequently rotated keys within the AWS Key Management Service (KMS). AWS KMS uses configurable cryptographic algorithms so that the system can quickly migrate from one approved algorithm, or mode, to another. The initial default set of cryptographic algorithms has been selected from Federal Information Processing Standard (FIPS-approved) algorithms for their security properties and performance. AWS KMS key generation is performed on the AWS KMS HSMs. The HSMs implement a hybrid random number generator that uses the NIST SP800-90A Deterministic Random Bit Generator (DRBG) CTR_DRBG using AES-256. It is seeded with a nondeterministic random bit generator with 384-bits of entropy and updated with additional entropy to provide prediction resistance on every call for cryptographic material. The storage volumes are encrypted at block level using these FIPS 140-2 approved algorithms, Hardware Module: AWS Key Management Service HSM (Amazon Web Services) with CMVP Certificate #4523.
4. RPost electronic signature service records and message level encryption message body text parts are secured for content integrity and origination using X.509 public key digital certificates, that are AATL recognized DigiCert Trusted G4 Code Signing RSA4096 SHA384 digital certificates.
5. RPost transmission level encryption within its RMail^®, Registered Email™, RDocs™, RSign^®, and RForms™ services use X.509v3 RSA Encryption for TLS transmission through TLS 1.3. For RMail and Registered Email encryption services, the sender organization can enforce either AES-256-bit encryption using the modules noted above or X.509v3 RSA Encryption Transport Layer Security (TLS) 1.2 or TLS 1.3 transmission encryption and if the receiving server cannot accommodate such, automatically revert to AES-256-bit encryption using the modules noted above. The decision to enforce AES-256-bit message level encryption or a particular minimum TLS level is set by the customer administrator in the RPost RPortal customer settings application. The X.509v3 RSA Encryption certificate is issued by Let’s Encrypt with a Certification Practice Statement (CPS) posted according to the Internet Security Research Group (ISRG) published operating practices. A certificate sample reference from one of the RPost system server mail transport agents is available in the accompanying PDF or upon request from RPost

Last Modified August 29, 2023