FIPS 140-2: What is it and why do you care?

By: Matt Nelson on January 28th, 2013

Print/Save as PDF

FIPS 140-2: What is it and why do you care?

FIPS 140-2

FIPS 140-2: What is it and why do you care?

The National Institute of Standards and Technology (NIST) Computer Security Division issued a series of publications to coordinate requirements and standards for cryptography modules, both hardware and software. Federal Information Processing Standard (FIPS) Publication 140-2 spells out the requirements and provides for the accreditation of such modules by testing and certifying that these requirements have been met.

There are now legislative restrictions placed on Federal agencies that require them to use tested and validated cryptography products. Governmental agencies as well as sensitive private industry applications such as financial and health care are relying to an increasing extent on FIPS 140-2 certified products to meet legal requirements and to improve their confidence that sensitive data will be protected. These legislative restrictions mandate that anybody wanting to sell products incorporating data encryption into these markets will have to have official certification. Essentially, if a governmental agency needs to encrypt data, they must do it with a certified product.

The FIPS 140-2 Standard can easily be obtained from the NIST website: It is a 69-page document and is amended from time to time. It provides requirements related to the security and design of a cryptographic module such as specifications, ports and interfaces, roles, services and authentication, finite state model, physical security, operational environment, cryptographic key management and EMI/EMC compatibility.

The FIPS 140-2 Standard defines four levels of security in order to cover a wide range of applications:

Security Level 1 provides the lowest level and simply requires that an approved encryption algorithm or approved security function be implemented.

Security Level 2 adds a requirement for tamper-evidence through the use of special coatings or seals that prevent undetected access to the cryptographic keys and critical security parameters within the module. It also specifies role-based authentication, defining certain operator roles and controlling the authorization of services appropriate to each role. The AvaLAN AW140 meets this level.

Security Level 3 further requires tamper-resistant physical security and identity-based authentication.Security Level 4 further requires a complete physical envelope of protection around the module with the intent of detecting and responding to all unauthorized attempts at physical access.

fips 140 certificate cmyk resized 600