Rycombe Consulting logo

FIPS 140-2 Overview

This page offers a brief overview of the FIPS 140-2 criteria. Rycombe offers a number of services to companies undertaking secure product evaluations. See our Certification Support page for details, or Contact Us for more information.

FIPS 140-2 certification is iportant to any vendor selling cryptography into the Federal market space. If your IT product utilizes any form of encryption, it will likely require validation against teh FIPS 140 criteria by the Cryptographic Module Validation Programme (CMVP) run jointly by NIST in the United States and CSE in Canada before it can be sold and installed in a Federal agency or DoD facility.

* Table of Contents
* Introduction

Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE), and is jointly administered by these bodies under the umbrella of the Cryptographic Module Validation Programme (CMVP).

The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorised roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.

* Do you need FIPS 140-2 certification?

We could give you many reasons why your product requires FIPS 140-2 certification, but the only one that is truly compelling is regulatory. FIPS 140-2 evaluation is required for sale of products implementing cryptography to the Federal Government. If you don't have a certificate or at least demonstrate a commitment to obtaining one, then there is a good chance that you won't be able to sell your product in this key market.

In addition, the financial community increasingly specifies FIPS 140-2 as a procurement requirement and is beginning to embrace it, wholly or in part in its own standards.

Less compelling reasons to obtain certification are that FIPS 140-2 can be viewed as a quality mark. It can be used as a marketing tool. If you have FIPS 140-2 and your competition does not, then you may have a competitive advantage.

* The Requirements

Documentation provided must include the following: Non-Proprietary Security Policy; Finite State Machine; Master Components List; Software/Firmware Module Descriptions; Source code listing for all software and firmware within cryptographic boundary; Description of module roles and services; Description of key management lifecycle; Algorithm Conformance Certificates; and FCC certificates for EMI/EMC compliance.

Many of these documents are probably produced during the normal product development lifecycle. However the Finite State Machine and Security Policy may be new to you. The security policy must be a separate releasable document that is retained by NIST, but all other documentation may be proprietary and submitted only to the testing laboratory. Templates can be obtained from Rycombe as part of our consultancy service.

* Levels

The different levels within the standard provide different levels of security and in the higher levels, have different documentation requirements.

Level 1: The lowest level of security. No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.

Level 2: Tamper evident physical security or pick resistant locks. Level 2 provides for role-based authentication. It allows software cryptography in multi-user timeshared systems when used in conjunction with a C2 or equivalent trusted operating system.

Level 3: Tamper resistant physical security. Level 3 provides for identity-based authentication.

Level 4: Physical security provides an envelope of protection around the cryptographic module. Also protects against fluctuations in the production environment.

* FIPS 140-3

FIPS 140-2 was signed on 22nd June 2001. The plan is to revise the standard every five years, and the third revision of FIPS 140-3 was announced on 12th January 2005. However, the publication of the draft revisions and its approval has not followed the original timeline. With the delay to its publication, an ISO standard (ISO/IEC 19790:2012) has been developed based around the draft of FIPS 140-3.

The current plan within NIST is to completely skip FIPS 140-3 and move to FIPS 140-4. This will eseentially be a wrapper around the ISO standard. Currently there is no schedule published for the adoption of FIPS 140-4

Here is a link to the NIST website for a copy of the FIPS 140-2 standard: latest copy of FIPS 140-2 (.pdf)

However, even in the absence of a successor to FIPS 140-2, the criteria continue to evolve through additions to the CMVP's implementation guidance and Special Publications. A number of algorithms were depricated at the end of 2010, and there was also an increase in the minimum key length required for a number of algorithms, for example. These changes were announced in SP 800-131 A.

The validation landscape is constantly changing. To see how we can help you to negotiate it, please read about how we work, or contact us to discuss the matter.

* Links

Our Links page will direct you to more detailed source material at the NIST web-site, and provide you with more background information.

Rycombe Consulting 1999-2015. All Rights Reserved.