FIPS 140-2

Validate your product to meet Regulated Industry and Government requirements for cryptography

FIPS White 406x406

FIPS 140-2

Validate your product to meet Regulated Industry and Government requirements for cryptography

What Is FIPS 140-2?

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions. In U.S. government procurement, all solutions that use cryptography must complete FIPS 140-2 validation to ensure end users receive a high degree of security, assurance, and dependability.
Are you being asked to support FIPS 140-2?  Corsec can help, from analyzing your business drivers, to reviewing your product architecture; our team can help educate you on the standard and detail how to quickly address your requirements.

FIPS Inside & FIPS Compliance

Corsec details the differences between FIPS 140-2 Validation, FIPS Compliant, and FIPS Inside.
Your customer requests, timelines, and product will all have an influence on which approach is best suited for your company. Review the white-paper to learn more.

FIPS Inside & FIPS Compliance

Corsec details the differences between FIPS 140-2 Validation, FIPS Compliant, and FIPS Inside.
Your customer requests, timelines, and product will all have an influence on which approach is best suited for your company. Review the white-paper to learn more.

The Standard: FIPS 140-2

blank The use of FIPS 140-2 validated products is mandated by Section 5131 of the Information Technology Management Reform Act of 1996.
blank All products sold into U.S. federal agencies are required to complete FIPS 140-2 validation if they use cryptography in security systems that process Sensitive But Unclassified (SBU) information.
blank Security requirements are outlined in full within the NIST FIPS 140-2 PUB.

The Requirements: Security & Levels

FIPS 140-2 contains eleven Derived Test Requirements (DTRs) that detail the requirements that must be provided to demonstrate conformance to the standard. Each section also describes the methods that the testing lab will take to test the module.

FIPS 140-2 Requirements

Within each of the eleven sections, there are four increasing qualitative security levels. At each level, greater amounts of evidence and engineering are required of the product in order to show compliance with the standard:

FIPS 140-2 Level 1      Level 1

Requirements
blank Validation of at least one approved algorithm or security function
blank Production-grade evaluated components

FIPS 140-2 Level 2      Level 2

Requirements
blank All Level 1 requirements
blank Role-based authentication & physical security requirements for tamper evidence

FIPS 140-2 Level 3     Level 3

Requirements
blank All Level 1 and 2 requirements
blank Identity-based authentication & physical security mechanisms for tamper detection & tamper response

FIPS 140-2 Level 4     Level 4

Requirements
blank All Level 1, 2, and 3 requirements
blank Physical security mechanisms to detect and reply to tampering; including environmental attacks

FIPS 140-2 Level 1   Level 1

blank Validation of approved algorithm and sources of encryption
blank Physical security of normal production grade materials

FIPS 140-2 Level 2   Level 2

blank All Level 1 requirements
blank Additional physical security requirements for tamper resistance; including pick resistant locks, covers, and doors as well as tamper evident coatings or seals preventing physical access

FIPS 140-2 Level 4     Level 3

blank All Level 1 and Level 2 requirements
blank Physical security mechanisms for tamper detection and response that can zero out or wipe critical security parameters within a device

FIPS 140-2 Level 4     Level 4

blank All Level 1, 2, and 3 requirements
blank Physical security mechanisms able to detect tampering and reply to such attempts by wiping all plaintext critical security parameters
blank Protect against environmental attacks including attempts to compromise via voltage and/or temperature outside the normal operating range

The Process: Done Once, Done Right

Corsec’s Three-Step Methodology helps to decrease risk, increase security, and accelerate sales; guaranteeing validation success – Done Once, Done Right!

Corsec Assess for FIPS 140-2. Common Criteria, and the DoDIN APL

Assess

An Assessment of Your Company & Product to Identify an Efficient Validation Path

Corsec Enhance for FIPS 140-2. Common Criteria, and the DoDIN APL

Enhance

Design Consulting to Harden Your Product Against FIPS Requirements

Corsec Validate for FIPS 140-2. Common Criteria, and the DoDIN APL

Validate

End-to-End Support to Guide You Through The Entire Validation Process

Corsec Assess for FIPS 140-2. Common Criteria, and the DoDIN APL

Assess

An Assessment of Your Company & Product to Identify the Most Efficient Path to Validation

Corsec Enhance for FIPS 140-2. Common Criteria, and the DoDIN APL

Enhance

Design Consulting to Harden Your Product Against FIPS Requirements

Corsec Validate for FIPS 140-2. Common Criteria, and the DoDIN APL

Validate

End-to-End Support to Guide You Through The Entire Validation Process
Determining the appropriate approach for your FIPS 140-2 validation is essential; depending on your product, the level you pursue, the boundary you draw, and the engineering changes required, your path to certification could alter greatly.

Have Questions? Talk To An Expert