Definition: The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptographic modules, providing four increasing qualitative levels intended to cover a wide range of potential applications and environments. The NIST created FIPS 140-2, which is required for US and Canadian government procurements in accordance with the Federal Information Security Management Act (FISMA).
FIPS 140-2 Standard explained
The 140 series of FIPS are the standards that deal with computer cryptographic modules, which involves both hardware and software components used by the departments and agencies of the United States Federal Government. FIPS 140-2 is the current industry standard. FIPS 140-2 provides regulations for physical tamper-resistance, role-based authentication, and physical and logical separation of interfaces through which “critical security parameters” pass.
FIPS 140-2 has four levels, each of which is more stringent than the one before it:
- FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
- FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.
- FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
- FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.
To certify a cryptographic module such as an HSM, private vendors must first undergo a series of FIPS testing by an independent, accredited Cryptographic and Security Testing (CST) laboratory, such as the National Voluntary Lab Accreditation Program.
Utimaco has validated various cryptographic modules against the FIPS 140-2 standard.