FIPS 140-2 Compliance

Alloy Navigator family of products uses cryptographic modules and data transmissions protocols that have been validated to meet the FIPS 140-2 standards.

FIPS Background

The FIPS (Federal Information Processing Standard Publication 140-2) is a series of standards specified by the United States Government for approving cryptographic software.

The FIPS standards specify the best practices and security requirements for implementing crypto algorithms, encryption schemes, handling important data, and working with various operating systems and hardware, whenever cryptographic-based security systems have to be used to protect sensitive, valuable data. FIPS defines specific methods for encryption and specific methods for generating encryption keys that can be used.

FIPS Compliance is mandatory for US government computers, which means that all computers used for government work must be FIPS compliant. Government/federal organizations, subsidiaries, and its contractors must ensure FIPS compliance as they deal with information protected by federal government rules.

Alloy Navigator and Information Security

The following sections explain the specific details of security provisions implemented in Alloy Navigator.


  • All system components can be installed on FIPS enabled systems.
  • All web modules can be installed on Microsoft IIS (Internet Information Services)  with FIPS enabled group policy, along with the appropriate digital certificates and ciphers.


For protecting sensitive information used  FIPS compliant cryptographic ciphers.

Data storage and database server

  • All data can be encrypted using FIPS compliant ciphers (SQL Server)
  • Data transmission between the database server and client applications supports FIPS compliant SSL/TLS ciphers, e.g. RSA_3DES_SHA1.
  • Additionally, Alloy Navigator uses FIPS compliant AES-256 ciphers for protecting account credentials.

Communication with external systems

Email – Communication with IMAP, SMTP servers supports FIPS compliant TLS 1.2 protocol

API  – For access to API HTTPS  protocol using FIPS compliant ciphers can be used.

User access

Alloy Navigator employs role-based user  permission system to prevent access to sensitive information.

Alloy Navigator support Windows Authentication. When hosting the Alloy Navigator’s components on a FIPS enabled system, SQL authentication mode must be disabled. FIPS compliant Windows Authorization must be used.

Data transmissions between web consoles and the back-end supports HTTPS  protocol with FIPS compliant ciphers.

Specific protocols and data encryption methods

Protocol, data type Persistent Storage Cypher
User account passwords for remote computer audit Database AES-256
Access Key for Desktop Console user authentication Database, system registry AES-256
SQL Server connection Up to TLS 1.2
SMTP, POP3, IMAP4 for email communication TLS 1.1, possible TLS 1.2
MAPI for email communication Up to the newest TLS
EWS for email communication Up to the newest TLS
Database connection string for web modules web.config AES-256
Account credentials for various automated jobs and email access Database AES-256
Import Wizard: Login and Password for ADO source Profile file AES-256
Encrypted data fields Database AES-256
Active Directory authentication Kerberos, and possibly NTLM
Active Directory channel encryption SSL/TLS

Please feel free to contact us if you have any questions or concerns regarding using Alloy Navigator family of products in a FIPS-compliant environment.