What is FIPS 140-2 and 140-3?

FIPS stands for the Federal Information Processing Standards. The standards were developed by the National Institute of Standards and Technology (NIST) for use in computer systems by non-military American government agencies and government contractors.

Cybersecurity organizations wanting to sell to regulated industries are required to implement these standards. Accredited third-party labs must then validate these implementations.

The Federal Information Security Management Act (FISMA) requires U.S. government agencies to use cryptography modules that abide by FIPS standards. U.S. government contractors and third-parties that work under or for federal government agencies are also required to abide by FIPS. Other industries such as healthcare and finance are following suit and adopting FIPS standards to secure critical data.

What is FIPS 140-2?

FIPS 140-2 outlines the current federal security requirements for cryptographic modules. The areas covered in these standards include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. These standards ensure the secure design and implementation of a cryptographic module.

Note: Testing of cryptographic modules against FIPS 140-2 will end on September 22, 2021 in favor of FIPS 140-3 standards.

What is FIPS 140-3?

FIPS 140-3 supersedes FIPS 140-2 and outlines updated federal security requirements for cryptographic modules. The new standards align with ISO/IEC 19790:2012(E) and include modifications of the Annexes that are allowed to the Cryptographic Module Validation Program (CMVP), as a validation authority.

What are the FIPS Requirements for Module Validation?

FIPS standards dictate that any cryptographic module (both hardware and software included) implements algorithms from an approved list. Approved algorithms include both symmetric and asymmetric encryption techniques as well as the use of message authentication and hash standards. Should a cryptographic module not use algorithms from the approved list, the module cannot be considered for validation. A full list of validated algorithms under FIPS 140-2 can be found here.