EngageOne

Why EngageOne® Compose products are not FIPS compliant and what you can do about it

  • 1.  Why EngageOne® Compose products are not FIPS compliant and what you can do about it

    Pitney Bowes
    Posted 07-24-2019 13:39
    Are EngageOne Compose products (such as EngageOne Designer) FIPS compliant
    Short answer - No.

    What is FIPS ?
    FIPS stands for the United States government encryption standard "Federal Information Processing Standards" as issued by the U.S National Institute for Standards and Technology (NIST).

    What impact does it have ?
    Using this option mandates that any secure communication encryption standards used must have been certified by the FIPS standard.

    What does it do on Windows operating systems ?
    Enabling FIPS mode on Windows operating systems turns on the FIPS (140) standard which allows compliance with this U.S government standard.

    Whyo would use it ?
    It is typically used either by U.S Government  (or it's agencies) users or by customers working with U.S government agencies which require this standard.

    What effect does it have on EngageOne Compose components ?

    EngageOne Compose Suite , including all Microsoft Windows Applications comprising : 

    • Designer Server + Services
    • Designer Client + Services
    • Generate Server Mode (Windows)
    • Interactive Editor (ActiveX and App)
    • Content Author Admin + Services
    • Content Author Editor
    • Key Map Generator

     .. are targeted for use on Microsoft Windows Operating Systems.


    This involves the use of the underlying ".NET Framework"  in order for these Windows programs to execute and communicate between the different components securely.
     

    The use of the FIPS encryption standard is not recommended  for use – by Microsoft -  on ANY Microsoft Desktop application using this fundamental .NET Framework.
    Enabling FIPS stops all modern algorithm .NET Communication Security encryption (Not FIPS certified) from working.

     

    Obviously this affects all the above EngageOne Compose Suite programs – including Designer – in exactly the same way as every single other Desktop .NET Program which uses modern secure communication encryption built for use on Microsoft Operating Systems

     i.e

    Enabling FIPS causes Designer & Co to stop working.


    What guidance does Microsoft issue for FIPS use on Windows  ?

    For the reasons given above , Microsoft have issued guidance around why they no longer recommend use of FIPS


    Full details are given in the Microsoft article here :

    Why Microsoft do not recommend usage of FIPS anymore

     

    • For full technical details , refer to above Microsoft article section
      • Why FIPS mode is particularly onerous

    What can I do if my EngageOne product doesn't work with FIPS  Mode on Windows ?

    1. Disable FIPS mode on Windows to allow EngageOne Windows products such as EngageOne Designer to function.
    2. Request intermediate exemption from FIPS / NIST given the Industry wide gap in support for all Microsoft .NET programs using modern secure communication encryption.
    3. Refer issue to the FIPS / NIST  to work with Microsoft to update the Standard to cater for modern Microsoft .NET Secure communication encryption algorithms.





    ------------------------------
    Paul Barron
    Principal QA
    EngageOne Compose (Designer / Generate)
    Watford, United Kingdom
    ------------------------------