What’s FIPS 140-2? Cryptographic Module Validation Program | Cybersecurity

FIPS 140-2 is a federal info processing commonplace that manages safety necessities for cryptographic modules. The Nationwide Institute of Requirements and Expertise (NIST) revealed the safety commonplace in November 2001 to develop coordinated necessities for {hardware} pc parts.

NIST changed FIPS 140-2 with FIPS 140-3 in March 2019. This iteration launched new vital safety parameters for software program and firmware and up to date the 4 vital safety ranges that FIPS 140-2 launched. These 4 ranges of safety embrace laws that the U.S. authorities and different extremely regulated industries that retailer, accumulate, or disclose delicate info (finance, healthcare, and so on.) should adjust to.

What’s Cryptography?

Cryptography is an encryption technique that makes use of technical codes to guard delicate information and guarantee info safety. This technique generally makes use of cryptographic keys, algorithms, and crypto strategies resembling microdots or encryption (scrambling plaintext into ciphertext).

What’s Delicate Information?

Delicate information consists of any info, whether or not unique or copied from one other supply, that accommodates:

Racial or ethnic originPolitical opinionReligious or philosophical beliefsTrade union membershipGenetic dataBiometric dataHealth dataSex life or sexual orientationFinancial info (checking account numbers and bank card numbers)Labeled info

Some regulatory requirements, together with the EU’s Common Information Safety Regulation (GDPR), the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPPA), and the Gramm-Leach-Bliley Act (GLBA), all embrace provisions that shield different forms of info as delicate information.

Really useful studying: What’s the Major Technique for Defending Delicate Information? and What’s Delicate Information?

FIPS 140-1 vs. FIPS 140-2 vs. FIPS 140-3

NIST launched the FIPS 140 publication sequence in 1994 to determine the cryptographic module validation program (CMVP) via a joint effort with the Canadian authorities.

Beginning with FIPS 140-1, the publication sequence now spans three iterations, every enhancing upon the final and fortifying the validation course of with more and more sturdy requirements.

FIPS 140-1

As beforehand talked about, FIPS 140-1 established the CMVP. The publication is one in every of NIST’s most profitable requirements and remains to be related in the present day. In contrast to different revealed requirements which have modified in scope or applicability, FIPS 140-1 has solely been strengthened by FIPS 140-2 and FIPS 140-3.

When the NIST launched FIPS 140-1, it imposed necessities throughout eleven areas of cryptographic modules:

Cryptographic module specification (documentation and procedural data)Ports and interfaces (what info flows out and in of a cryptographic module)Consumer roles, entry ranges, and authenticationFinite state mannequin (documentation of what states a module can occupy and when and why transitions are triggered)Bodily safety (tamper proof and resistance)Operational surroundings (what working system does a module use)Cryptographic key administration (encryption technology, storage, lifecycle, and destruction)Electromagnetic compatibility (what techniques is a module suitable with)Safety assessments (procedures outlining what assessments should be accomplished and the results of failure)Module design (documentation that proves a module was designed to fulfill present business requirements)Assault mitigation (data proving a module has been designed to mitigate specific forms of environmental assaults)FIPS 140-2

FIPS 140-2 ensures that the {hardware} organizations make the most of to retailer delicate information and different protected info meets vital safety specs and key administration necessities.

This second iteration of the FIPS publication sequence launched the FIPS certification course of, which is outlined by 4 growing, qualitative ranges of safety.

Qualitative Ranges of SecurityLevel 1: Requires organizations to make the most of “production-grade” {hardware}, bodily safety mechanisms, and externally examined and accepted algorithmsLevel 2: Provides further necessities for bodily tamper-evidence and role-based authentication. It additionally requires all working techniques to be accepted by widespread criteriaLevel 3: Provides necessities for identity-based authentication and tamper-proof bodily safety features (pick-resistant locks). It additionally requires a logical separation between the interfaces, enabling “critical security parameters” to enter and go away the module. Encryption keys that meet the Superior Encryption Commonplace (AES) are additionally required throughout entrances and exitsLevel 4: Provides bodily safety necessities that can erase the contents of a tool if the system detects extreme vulnerabilities or cyber-attacksFIPS 140-3

Total, FIPS 140-3 expanded the scope of FIPS 140-2 to cowl firmware and software program along with {hardware} pc parts. The FIPS 140-3 commonplace supersedes all FIPS 140-2 requirements from its efficient date in 2019. FIPS 140-3 additionally incorporates two current requirements (ISO 19790 and ISO 24759) to raise its necessities for cryptographic modules and cryptographic algorithms.

With FIPS 140-3, NIST additionally up to date a number of necessities inside its qualitative safety ranges. Most notably, these updates included:

Degree 2 safety clearance can now be achieved by software program modules with out widespread standards dependencyLevel 2 safety clearance now consists of OS necessities which are just like the factors outlined in Widespread Standards OSPPLevel 3 safety clearance now requires Environmental Failure Testing (EFT) or Environmental Failure Safety (EFP)Degree 4 safety clearance now requires Environmental Failure Safety (EFP) to fulfill voltage and temperature demandsLevel 4 safety clearance now requires fault induction protectionLevel 4 safety clearance now requires multi-factor authenticationWhere Can I Study Extra About FIPS 140-3?

The Cybersecurity weblog, “What is FIPS 140-3? The Critical Updates You Must Be Aware Of,” consists of further details about FIPS 140-3. The weblog additionally lists further technical variations between FIPS 140-2 and FIPS 140-3.

Who Should Comply With FIPS 140?

The Federal Info Safety Administration Act (FISMA) requires numerous U.S. entities to keep up FIPS-compliant cryptographic modules. Canada has additionally adopted FIPS requirements to validate cryptographic modules all through a number of extremely regulated industries.

Total, the next teams are required to adjust to FIPS 140 requirements:

U.S. authorities companies and U.S. authorities contractorsCanadian federal companies and Canadian authorities contractorsThird events working alongside federal authorities agenciesCybersecurity organizations that market or promote to regulated industries

Extra industries, resembling finance, healthcare, and different extremely regulated practices, have additionally adopted FIPS requirements due to the publication’s superior concentrate on securing and defending delicate information.

When Will FIPS 140-2 Certificates Be Retired?

The U.S. Federal Authorities is at the moment establishing practices to validate all FIPS 140-2 certificates with the brand new requirements outlined by FIPS 140-3. As well as, NIST introduced that each one FIPS 140-2 validations can be retired by September 2026.

How Can Cybersecurity Assist with FIPS 140-3?

Cybersecurity’s vendor questionnaire software program empowers organizations to attain compliance throughout their digital provide chains. Customers of Cybersecurity Vendor Threat can entry Cybersecurity’s versatile vendor questionnaire library or configure customized questionnaires of their very own utilizing the platform’s intuitive and easy-to-use interface.

After sending and receiving vendor questionnaires, organizations can even make the most of Cybersecurity’s remediation workflows to work alongside distributors to unravel compliance points and eradicate compliance dangers.

Total, Cybersecurity Vendor Threat permits organizations to raise their third-party threat administration applications via using highly effective cybersecurity instruments resembling:

Begin your Cybersecurity free trial proper now. Or, uncover how Cybersecurity helps organizations shield their inside and exterior assault surfaces by studying extra about Cybersecurity’s sturdy cybersecurity options.