Why is FIPS 140-2 important?įIPS 140-2 is considered the benchmark for security, the most important standard of the government market, and critical for non-military government agencies, government contractors, and vendors who work with government agencies. The validation certificate lists individual ratings for each of the 11 areas, as well as an overall rating, which factors in the minimum independent ratings in the areas with levels and fulfillment of all the requirements in the other areas. The overseeing governmental body validates the test results, and issues a validation certificate for the cryptographic module, which can be either an embedded component of a product or a complete product in and of itself. For each area, a cryptographic module receives a security level rating between 1 and 4, ranked in order from lowest to highest security, depending on what requirements are met.Ĭryptographic and Security Testing (CST) Laboratories accredited by NIST’s National Voluntary Laboratory Accreditation Program (NVLAP) perform conformance testing of cryptographic modules, determining whether products and associated documentation adhere to FIPS 140-2 standard requirements. The standard also allows the security boundary to be defined, e.g., from the chip, card, box, or enterprise level.įIPS 140-2 security requirements define 11 areas related to the design and implementation of a cryptographic module, covering a broad array of environments and applications: cryptographic module specification cryptographic module ports and interfaces roles, services, and authentication finite state model physical security operational environment cryptographic key management electromagnetic interference/electromagnetic compatibility (EMI/EMC) self-tests design assurance and mitigation of other attacks. The standard pertains to cryptographic module hardware, software, and combination hardware/software implementations that provide cryptographic services such as encryption, authentication, digital signature, and key management in computer systems, including data storage and networking devices, used in various locales ranging from offices to hostile environments. Protection of a cryptographic module is necessary to maintain the confidentiality and integrity of the information protected by the module. government, as well as a growing number of industries and government bodies, with the last Annex occurring in January 2018. FIPS 140-2 continues to be prized by the U.S. government and first published by the National Institute of Standards & Technology (NIST) in 2001, FIPS 140-1 was replaced with FIPS 140-2 and since May 2002 has been the only standard accepted by the Cryptographic Module Validation Program. What is FIPS 140-2?įIPS 140 specifies the security requirements a cryptographic module must satisfy to protect sensitive but unclassified information. One of the ways the federal government manages these challenges is through the use of time-tested Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules to assist with data security, both while in storage (Data at Rest), as well as during data transfers (Data in Motion). government, also undergoing a digital transformation, is among the largest producers and consumers of digital data, all while being targeted by an ever-increasing number of cyberattacks. Digital systems, processes, and data utilization requirements are affording organizations opportunities for higher efficiencies and productivity, streamlined operations and decision-making, and enhanced innovation, but also a greater exposure to risk.
The amount and utilization of data will only continue to grow over time. Organizations around the globe and across industries are producing, collecting, analyzing, sharing, and storing more data now than at any other time in history. Systems and processes are becoming more digital and data-centric, which while presenting new opportunities, also generates new challenges. Security is top of mind today, as the majority of industries undergo a digital transformation and face a growing number of increasingly sophisticated threats. By Brian Rinehart, Systems Engineering Manager
0 kommentar(er)
