FIPS 140-2 Overview
This page offers a brief overview of the FIPS 140-2 criteria. Rycombe offers a number of services to companies undertaking secure product evaluations. See our Certification Support page for details, or Contact Us for more information.
FIPS 140-2 certification is iportant to any vendor selling cryptography into the Federal market space. If your IT product utilizes any form of encryption, it will likely require validation against teh FIPS 140 criteria by the Cryptographic Module Validation Programme (CMVP) run jointly by NIST in the United States and CSE in Canada before it can be sold and installed in a Federal agency or DoD facility.
Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE), and is jointly administered by these bodies under the umbrella of the Cryptographic Module Validation Programme (CMVP).
The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorised roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.
We could give you many reasons why your product requires FIPS 140-2 certification, but the only one that is truly compelling is regulatory. FIPS 140-2 evaluation is required for sale of products implementing cryptography to the Federal Government. If you don't have a certificate or at least demonstrate a commitment to obtaining one, then there is a good chance that you won't be able to sell your product in this key market.
In addition, the financial community increasingly specifies FIPS 140-2 as a procurement requirement and is beginning to embrace it, wholly or in part in its own standards.
Less compelling reasons to obtain certification are that FIPS 140-2 can be viewed as a quality mark. It can be used as a marketing tool. If you have FIPS 140-2 and your competition does not, then you may have a competitive advantage.
Documentation provided must include the following: Non-Proprietary Security Policy; Finite State Machine; Master Components List; Software/Firmware Module Descriptions; Source code listing for all software and firmware within cryptographic boundary; Description of module roles and services; Description of key management lifecycle; Algorithm Conformance Certificates; and FCC certificates for EMI/EMC compliance.
Many of these documents are probably produced during the normal product development lifecycle. However the Finite State Machine and Security Policy may be new to you. The security policy must be a separate releasable document that is retained by NIST, but all other documentation may be proprietary and submitted only to the testing laboratory. Templates can be obtained from Rycombe as part of our consultancy service.
The different levels within the standard provide different levels of security and in the higher levels, have different documentation requirements.
Level 1: The lowest level of security. No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.
Level 2: Tamper evident physical security or pick resistant locks. Level 2 provides for role-based authentication. It allows software cryptography in multi-user timeshared systems when used in conjunction with a C2 or equivalent trusted operating system.
Level 3: Tamper resistant physical security. Level 3 provides for identity-based authentication.
Level 4: Physical security provides an envelope of protection around the cryptographic module. Also protects against fluctuations in the production environment.
FIPS 140-2 was signed on 22nd June 2001. The plan is to revise the standard every five years, and the third revision of FIPS 140-3 was announced on 12th January 2005. However, the publication of the draft revisions and its approval has not followed the original timeline. The final version will hopefully be published and approved sometime this year and then after Derived Test Requirements are published, the standard will become effective soon after and labs will be able to accept FIPS 140-3 validations.
Once FIPS 140-3 is effective, after a transition period, FIPS 140-2 will be retired and validation under FIPS 140-2 will end. However, that is still some time away and all validations commencing in the short term will be to FIPS 140-2.
Here is a link to the NIST website for a copy of the FIPS 140-2 standard: latest copy of FIPS 140-2 (.pdf)
However, even in the absence of FIPS 140-3, the criteria continue to evolve through additions to the CMVP's implementation guidance and Special Publications. A number of algorithms were depricated at the end of 2010, and there was also an increase in the minimum key length required for a number of algorithms, for example. These changes were announced in SP 800-131 A.
Our Links page will direct you to more detailed source material at the NIST web-site, and provide you with more background information.
© Rycombe Consulting 1999-2013. All Rights Reserved.