FIPS Validation: what is it? PDF Print

In the US, requirements for government security are regulated by Federal Information Processing Standards (FIPS) publications, which are developed by the National Institute of Standards for Technology (NIST) for use government-wide. NIST develops FIPS when there are compelling federal government requirements for security and interoperability and there are no acceptable industry standards or solutions.

Considered a benchmark for security in government, FIPS validation assures users that a given technology has passed rigorous testing under either the CAVP (Cryptographic Algorithm Validation Program) or CMVP (Cryptographic Module Validation Program) by an accredited third-party lab and can be used to secure sensitive information.

There are many FIPS:

  • FIPS 140-2 – Security Requirements for Cryptographic Modules
  • FIPS 186-2 – Digital Signature Standard including Elliptic Curve Digital Signature Algorithm (ECDSA)
  • FIPS 190 – Guideline For The Use Of Advanced Authentication Technology Alternatives
  • FIPS 197 – The Advanced Encryption Standard (AES)
  • FIPS 201 - Personal Identity Verification of Federal Employees and Contractors

By far the most important to the government market is FIPS 140-2, because FIPS 140-2 Validation is required for sale of products implementing cryptography to the Federal Government. If you don't have FIPS 140-2 Validation for your product, and can't show that you are going to be obtaining it, you will not be able to access the government market with your products.

FIPS 140-2 identifies eleven areas for a cryptographic module used inside a security system that protects information:

  • Cryptographic Module Specification
  • Cryptographic Module Ports and Interfaces
  • Roles, Services and Authentication
  • Finite State Model
  • Physical Security
  • Operational Environment
  • Cryptographic Key Management
  • Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
  • Self Tests
  • Design Assurance
  • Mitigation of Other Attacks

The standard also provides four increasing, qualitative levels of security, from 1 to 4 (1 being the lowest) for these eleven areas and then assigns a single overall rating. The different levels provide increasing levels of security as follows:

* Level 1: No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.
* Level 2: Tamper evident physical security or pick resistant locks. Level 2 also provides for role-based authentication.
* Level 3: Tamper resistant physical security. Level 3 provides for identity-based authentication.
* Level 4: Physical security provides an envelope of protection around the cryptographic module and protects against fluctuations in the production environment.

The rating depends on how many of the eleven FIPS 140-2 requirements the cryptographic module meets.

FIPS Validation Process in more detail