What is FIPS 140?


The Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting protected information. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3 and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover 11 areas related to the secure design and implementation of a cryptographic module.

These areas include:

  • Cryptographic module specification
  • cryptographic module ports and interfaces
  • roles, services and authentication
  • finite state model
  • physical security
  • Operational Environment
  • cryptographic key management
  • electromagnetic interference/electromagnetic compatibility (EMI/EMC)
  • self-tests
  • design assurance and
  • mitigation of other attacks

A FIPS 140-2 validation certificate is issued for each validated module. An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).