Introduction to FIPS 140-2

Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE), and is jointly administered by these bodies under the umbrella of the Cryptographic Module Validation Programme (CMVP).

The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorised roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.

Levels and their meaning

The different levels within the standard provide different levels of security and in the higher levels, have different documentation requirements.

Level 1: The lowest level of security. No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.

Level 2: Tamper evident physical security or pick resistant locks. Level 2 provides for role-based authentication. It allows software cryptography in multi-user timeshared systems when used in conjunction with a C2 or equivalent trusted operating system.

Level 3: Tamper resistant physical security. Level 3 provides for identity-based authentication.

Level 4: Physical security provides an envelope of protection around the cryptographic module. Also protects against fluctuations in the production environment.

Why does FIPS 140-2 certification matter?

Enterprises today are demanding more from their mobility solutions, including providing workers with access to sensitive enterprise data whether in the office or on the road. With this increased level of access comes an increased level of risk. Our FIPS 140-2 certifications provide IT managers with assurance that the risks surrounding data at rest and data in transit can be adequately managed using CMS' products.

As you can see, FIPS 140-2 provides security-conscious organizations with the peace of mind to continue forward with worker productivity and to realize the benefits of mobile solutions without having to worry about compromising the security of their data. FIPS 140-2 is an important certification for the CMS' solutions.