This page offers a brief overview of the FIPS 140 criteria. Rycombe offers a number of services to companies undertaking secure product evaluations. See our Certification Support page for details, or Contact Us for more information.
FIPS 140 certification is important to any vendor selling cryptography into the US Federal space. If your IT product utilizes any form of encryption, it will likely require validation against the FIPS 140 criteria by the Cryptographic Module Validation Programme (CMVP) run jointly by NIST in the United States and CSE in Canada before it can be sold and installed in a Federal agency or DoD facility.
Table of Contents |
Introduction |
Federal Information Processing Standard 140 (FIPS 140) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE), and is jointly administered by these bodies under the umbrella of the Cryptographic Module Validation Programme (CMVP).
The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorised roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, and self-testing.
There are currently two active versions of the standard. FIPS 140-2 was originally published in May 2001 and after nearly twenty years, the scheme is transistioning to the next version of the standard: FIPS 140-3. This is essentially an ISO standard, INCITS/ISO/IEC 19790:2012(2014), based on an updated version of FIPS 140-2, wrapped up in a federal publication to allow for local requirements for cryptographic algorithms, etc, to be included within the standard.
It is possible to evaluate to either version of the standard during the transition period. However, from September 21, 2021, CMVP will stop accepting FIPS 140-2 submissions for new validation certificates.
Do you need FIPS 140 certification? |
We could give you many reasons why your product requires FIPS 140 certification, but the only one that is truly compelling is regulatory. FIPS 140 evaluation is required for sale of products implementing cryptography to the Federal Government. If you don't have a certificate or at least demonstrate a commitment to obtaining one, then there is a good chance that you won't be able to sell your product in this key market.
In addition, the financial community increasingly specifies FIPS 140 as a procurement requirement and is beginning to embrace it, wholly or in part in its own standards.
Less compelling reasons to obtain certification are that FIPS 140 can be viewed as a quality mark. It can be used as a marketing tool. If you have FIPS 140 and your competition does not, then you may have a competitive advantage.
The Requirements |
Documentation provided must include the following: Non-Proprietary Security Policy; Finite State Machine; Master Components List; Software/Firmware Module Descriptions; Source code listing for all software and firmware within cryptographic boundary; Description of module roles and services; Description of key management lifecycle; Algorithm Conformance Certificates.
Many of these documents are probably produced during the normal product development lifecycle. However the Finite State Machine and Security Policy may be new to you. The security policy must be a separate releasable document that is retained by NIST, but all other documentation may be proprietary and submitted only to the testing laboratory. Templates can be obtained from Rycombe as part of our consultancy service.
Levels |
The different levels within the standard provide different levels of security and in the higher levels, have different documentation requirements.
Level 1: The lowest level of security. No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.
Level 2: Tamper evident physical security or pick resistant locks. Level 2 provides for role-based authentication. It allows software cryptography in multi-user timeshared systems when used in conjunction with a C2 or equivalent trusted operating system.
Level 3: Tamper resistant physical security. Level 3 provides for identity-based authentication.
Level 4: Physical security provides an envelope of protection around the cryptographic module. Also protects against fluctuations in the production environment.
FIPS 140-3 |
Currently, vendors have a choice as to whether to validate a cryptographic module against FIPS 140-2 or FIPS 140-3. The two versions are equivalent, and there is no penalty for choosing FIPS 140-2. It is a known quantity and for existing certified modules, it is cheaper to revalidate to FIPS 140-2 than to carry out a new valiation to the new version of the standard.
However, from September 21, 2021, no FIPS 140-2 submissions that result in a new certificate will be accepted. For this reason, if there is an expectation that future versions of a module will require revalidation, FIPS 140-3 may be the better business decision, although until the new standard beds in, lab costs may be higher and project timescales may be longer for FIPS 140-3.
Here is a link to the NIST website to access the scheme documentation: CMVP publications
The validation landscape is constantly changing. To see how we can help you to negotiate it, please read about how we work, or contact us to discuss the matter.
Links |
Our Links page will direct you to more detailed source material at the NIST web-site, and provide you with more background information.