Home
Certification Support
- ITSEC
- Common Criteria
- FIPS 140-2
- BS 7799
Practice Management
Links
Site Map
Contact Rycombe
Search Site

 FIPS 140-2 Overview
Rycombe Consulting logo

FIPS 140-2 Overview

This page offers a brief overview of the FIPS 140-2 criteria. Rycombe offers a number of services to companies undertaking secure product evaluations. See our Certification Support page for details, or Contact Us for more information.

* Table of Contents
* Introduction

Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE), and is likely to be adopted by the financial community through the American National Standards Institute (ANSI).

The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorised roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.

* Do you need FIPS 140-2 certification?

We could give you many reasons why your product requires FIPS 140-2 certification, but the only one that is truly compelling is regulatory. FIPS 140-2 evaluation is required for sale of products implementing cryptography to the Federal Government. If you don't have a certificate or at least demonstrate a commitment to obtaining one, then there is a good chance that you won't be able to sell your product in this key market.

In addition, the financial community increasingly specifies FIPS 140-2 as a procurement requirement and is beginning to embrace it, wholly or in part in its own standards.

Less compelling reasons to obtain certification are that FIPS 140-2 can be viewed as a quality mark. It can be used as a marketing tool. If you have FIPS 140-2 and your competition does not, then you may have a competitive advantage.

* The Requirements

Documentation provided must include the following: Non-Proprietary Security Policy; Finite State Machine; Master Components List; Software/Firmware Module Descriptions; Source code listing for all software and firmware within cryptographic boundary; Description of module roles and services; Description of key management lifecycle; Algorithm Conformance Certificates; and FCC certificates for EMI/EMC compliance.

Many of these documents are probably produced during the normal product development lifecycle. However the Finite State Machine and Security Policy may be new to you. The security policy must be a separate releasable document that is retained by NIST, but all other documentation may be proprietary and submitted only to the testing laboratory. Templates can be obtained from Rycombe as part of our consultancy service.

* Levels

The different levels within the standard provide different levels of security and in the higher levels, have different documentation requirements.

Level 1: The lowest level of security. No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.

Level 2: Tamper evident physical security or pick resistant locks. Level 2 provides for role-based authentication. It allows software cryptography in multi-user timeshared systems when used in conjunction with a C2 or equivalent trusted operating system.

Level 3: Tamper resistant physical security. Level 3 provides for identity-based authentication.

Level 4: Physical security provides an envelope of protection around the cryptographic module. Also protects against fluctuations in the production environment.

* FIPS 140-2

FIPS 140-2 was signed on 22nd June 2001, superceding FIPS 140-1.

  • As of 22nd June 2002, only FIPS 140-2 conformance reports are accepted by NIST.
  • It is worth noting that all existing FIPS 140-1 certified products will still be approved for sale and use even though FIPS 140-2 is now in effect. Revalidations of products originally granted a FIPS 140-1 certification will need to meet the new FIPS 140-2 criteria.

Here is a link to the NIST website for their source material: latest copy of FIPS 140-2 (.pdf)

FIPS 140-3 is now in draft form and is available for download. Click here for our summary of the differences between FIPS 140-2 and FIPS 140-3.

* Links

Our Links page will direct you to more detailed source material at the NIST web-site, and provide you with more background information.



© Rycombe Consulting 1999-2008. All Rights Reserved.