QuickBooks Desktop and FIPS encryption

If you’re a DoD contractor, you might have tried to use the Windows “FIPS mode” with QuickBooks Desktop. Unfortunately, QuickBooks does not run when Microsoft’s FIPS-compliant encryption libraries are enabled.

This creates a potential problem for contractors who need to be compliant with NIST 800-171 requirements. Data-at-rest doesn’t necessarily need to be encrypted (see 3.13.16), as long as other approved controls are used to protect CUI. With that said, without FIPS-compliant encryption, there will be complications in meeting 800-171 requirements. As an example, if a portable drive is used for backups or a QuickBooks data file needs to be transferred off the bookkeeper’s PC, FIPS-validated encryption is mandatory. This is no longer data-at-rest.

I would urge Intuit to consider making QuickBooks Desktop compatible with Windows FIPS mode. Putting the sales impact of such a change aside, it’s the patriotic thing to do. QuickBooks Desktop is likely used by thousands of DoD contractors. Switching to QuickBooks Online simply isn’t an option, since it’s not FedRAMP approved.

Leave a Reply

Your email address will not be published. Required fields are marked *