FIPS 140-2: What is it and why is it important?

By Brian Rinehart, Systems Engineering Manager

Security is top of mind today, as the majority of industries undergo a digital transformation and face a growing number of increasingly sophisticated threats.  Systems and processes are becoming more digital and data-centric, which while presenting new opportunities, also generates new challenges.

Organizations around the globe and across industries are producing, collecting, analyzing, sharing, and storing more data now than at any other time in history.  The amount and utilization of data will only continue to grow over time.  Digital systems, processes, and data utilization requirements are affording organizations opportunities for higher efficiencies and productivity, streamlined operations and decision-making, and enhanced innovation, but also a greater exposure to risk.

The U.S. government, also undergoing a digital transformation, is among the largest producers and consumers of digital data, all while being targeted by an ever-increasing number of cyberattacks.  One of the ways the federal government manages these challenges is through the use of time-tested Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules to assist with data security, both while in storage (Data at Rest), as well as during data transfers (Data in Motion).

What is FIPS 140-2?

FIPS 140 specifies the security requirements a cryptographic module must satisfy to protect sensitive but unclassified information.  Developed by the U.S. government and first published by the National Institute of Standards & Technology (NIST) in 2001, FIPS 140-1 was replaced with FIPS 140-2 and since May 2002 has been the only standard accepted by the Cryptographic Module Validation Program.  FIPS 140-2 continues to be prized by the U.S. government, as well as a growing number of industries and government bodies, with the last Annex occurring in January 2018.

Protection of a cryptographic module is necessary to maintain the confidentiality and integrity of the information protected by the module.  The standard pertains to cryptographic module hardware, software, and combination hardware/software implementations that provide cryptographic services such as encryption, authentication, digital signature, and key management in computer systems, including data storage and networking devices, used in various locales ranging from offices to hostile environments.  The standard also allows the security boundary to be defined, e.g., from the chip, card, box, or enterprise level.

FIPS 140-2 security requirements define 11 areas related to the design and implementation of a cryptographic module, covering a broad array of environments and applications: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. For each area, a cryptographic module receives a security level rating between 1 and 4, ranked in order from lowest to highest security, depending on what requirements are met.

Cryptographic and Security Testing (CST) Laboratories accredited by NIST’s National Voluntary Laboratory Accreditation Program (NVLAP) perform conformance testing of cryptographic modules, determining whether products and associated documentation adhere to FIPS 140-2 standard requirements.  The overseeing governmental body validates the test results, and issues a validation certificate for the cryptographic module, which can be either an embedded component of a product or a complete product in and of itself.  The validation certificate lists individual ratings for each of the 11 areas, as well as an overall rating, which factors in the minimum independent ratings in the areas with levels and fulfillment of all the requirements in the other areas.

Why is FIPS 140-2 important?

FIPS 140-2 is considered the benchmark for security, the most important standard of the government market, and critical for non-military government agencies, government contractors, and vendors who work with government agencies.  FIPS 140-2 certification assures users that a specific technology has passed rigorous testing by an accredited lab, that the test results have been validated, and that the product can be used to secure sensitive information.

The Federal Information Security Management Act (FISMA), signed into law as part of the larger E-Government Act of 2002, defines an information security framework to protect government information, operations, and assets against threats.  FISMA requires adherence to a set of federal data security standards and guidelines, that includes FIPS 140-2, to reduce the security risk to federal information and data.  FISMA requirements apply to federal (and even some state) agencies and any private businesses involved in a contractual relationship with the government.  Simply put, FIPS 140-2 validation is required for the sale of products with cryptography to the federal government.

Applicable to virtually all U.S. federal agencies, FIPS 140-2 has been adopted by certification authorities in other countries, such as Canada and Japan, and across other industries that demand high-security standards, including the financial, energy, telecommunications, and other markets.  Information security experts actively recommend the use of technologies certified to proven security standards, like FIPS 140-2, throughout supply chains – not just for government use, but also in safety-critical applications, ranging from critical energy infrastructures to the latest advanced driver-assistance systems (ADAS) and autonomous vehicles.

Make FIPS 140-2 part of your security risk mitigation strategy by insisting on products that comply with proven FIPS 140-2 information system security standard requirements.  Even when a project doesn’t require adherence to security standards, the use of products that comply with FIPS 140-2 is recommended.  It demonstrates leadership, initiative to go above and beyond for customers and end users, preparedness to meet future requirements, and dedication to safety and security.

Contact Crystal Group for answers to your questions, more on important industry standards and requirements, a quote for your project, and information about new Crystal Group PASS™ (Platform Agnostic Security Solutions), including the world’s first rugged data storage products that are FIPS 140-2 compliant. Crystal Group rugged computing products are engineered with innovative techniques to protect components from severe physical conditions such as shock, temperature, salt, water, dust, and more, to help extend operational life, boost performance, and increase reliability.



Brian Rinehart is the Systems Engineering Manager at Crystal Group. He has been with the company since 2010. Prior to Crystal Group, Brian spent several years at Rockwell Collins as Principal Electrical Engineer and Senior Engineering Manager. Brian received BSEE, in RF and DSP Communication from Iowa State University.