FIPS and non-FIPS compliance - Metasys - LIT-12013352 - M4-SNE10500-0 - M4-SNE10501-0 - M4-SNE11000-0 - M4-SNE11001-0 - M4-SNE110L0-0 - M4-SNE110L1-0 - M4-SNE22000-0 - M4-SNE22001-0 - Supervisory Device - SNE10 Network Engine - SNE11 Network Engine - SNE22 Network Engine - SNE Supervisory Network Engine - 12.0

SNE Commissioning Guide

Product name
SNE10 Network Engine
SNE11 Network Engine
SNE22 Network Engine
SNE Supervisory Network Engine
Document type
Commissioning Guide
Document number
LIT-12013352
Version
12.0
Revision date
2022-12-12
Product status
Active

At Metasys Release 11.0 and later, the encryption methods used for communication between the SNE SNC and the Metasys Server have been updated to meet FIPS 140-2. FIPS 140-2 is based on the Federal Information Processing Standard (FIPS) Publication 140-2, a U.S. government computer security standard used to approve cryptographic modules.

FIPS 140-2 compliance is a standard feature on all SNE or SNC engines at Release 11.0 and later, and an optional, licensed feature for the Metasys Server and NAE85/LCS85 software engines. After you update an SNE or SNC to Release 11.0 or later, the only method for removing FIPS 140-2 compliance is to reimage the engine to an earlier release. Also, there is no attribute in the user interface to indicate that a particular network engine is FIPS compliant. All SNE or SNC engines that run Release 11.0 and later firmware are FIPS compliant; all engines at any earlier release are not FIPS compliant.

For the Metasys Server at Release 11.0 or later, FIPS 140-2 compliance is a purchased and licensed feature. The attribute called FIPS Compliance Status, located under the Engineering Values section of the ADS device object, indicates the current FIPS status of the server. The value is either Compliant (Licensed) or Non-Compliant (Unlicensed). This read-only attribute is set to Compliant (Licensed) after you license FIPS compliance and install the FIPS compliance software on the Metasys Server. After you license the server for FIPS compliance, the server communicates only with other network engines that are also FIPS compliant. This restriction is necessary for a facility to be fully FIPS compliant.

Refer to the following table for an overview of how communication between the Site Director and network engines is affected using various security settings. As indicated in Table 1, a Site Director at an earlier release cannot communicate to a network engine that is at a later release, regardless of security settings.

Table 1. Network Engine security overview

Site Director with release

Site Director Advanced Security

Server FIPS Compliance

Network Engine communication to Site Director

Rel. 9.0 or earlier

Rel. 10.0 or 10.1

Rel. 11.0

or later

ADS/ADX

Rel. 9.0 or earlier

<na>

<na>

ALLOWED

BLOCKED

BLOCKED

ADS/ADX

Rel. 10.0 or 10.1

FALSE

<na>

ALLOWED

ALLOWED

BLOCKED

TRUE

<na>

BLOCKED

ALLOWED

BLOCKED

ADS/ADX

Rel. 11.0 or later

FALSE

Unlicensed

ALLOWED

ALLOWED

ALLOWED

TRUE

Unlicensed

BLOCKED

ALLOWED

ALLOWED

TRUE or FALSE

Licensed

BLOCKED

BLOCKED

ALLOWED

Network Engine

Rel. 9.0 or earlier

<na>

<na>

ALLOWED

BLOCKED

BLOCKED

Network Engine

Rel. 10.0 or 10.1

FALSE

<na>

ALLOWED

ALLOWED

ALLOWED

TRUE

<na>

BLOCKED

ALLOWED

BLOCKED

Network Engine

Rel. 11.0 or later

TRUE or FALSE

Always Licensed

BLOCKED

BLOCKED

ALLOWED