FIPS 140-2 is a federal information processing standard that manages security requirements for cryptographic modules. The National Institute of Standards and Technology (NIST) published the security standard in November 2001 to develop coordinated requirements for hardware computer components.
NIST replaced FIPS 140-2 with FIPS 140-3 in March 2019. This iteration introduced new critical security parameters for software and firmware and updated the four critical security levels that FIPS 140-2 introduced. These four levels of security include regulations that the U.S. government and other highly regulated industries that store, collect, or disclose sensitive information (finance, healthcare, etc.) must comply with.
What is Cryptography?
Cryptography is an encryption method that utilizes technical codes to protect sensitive data and ensure information security. This method commonly uses cryptographic keys, algorithms, and crypto techniques such as microdots or encryption (scrambling plaintext into ciphertext).
What is Sensitive Data?
Sensitive data includes any information, whether original or copied from another source, that contains:
- Racial or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
- Financial information (bank account numbers and credit card numbers)
- Classified information
Some regulatory standards, including the EU’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act of 1996 (HIPPA), and the Gramm-Leach-Bliley Act (GLBA), all include provisions that protect other types of information as sensitive data.
Recommended reading: What is the Primary Method for Protecting Sensitive Data? and What is Sensitive Data?
FIPS 140-1 vs. FIPS 140-2 vs. FIPS 140-3
NIST released the FIPS 140 publication series in 1994 to establish the cryptographic module validation program (CMVP) through a joint effort with the Canadian government.
Starting with FIPS 140-1, the publication series now spans three iterations, each improving upon the last and fortifying the validation process with increasingly robust standards.
FIPS 140-1
As previously mentioned, FIPS 140-1 established the CMVP. The publication is one of NIST’s most successful standards and is still relevant today. Unlike other published standards that have changed in scope or applicability, FIPS 140-1 has only been strengthened by FIPS 140-2 and FIPS 140-3.
When the NIST introduced FIPS 140-1, it imposed requirements across eleven areas of cryptographic modules:
- Cryptographic module specification (documentation and procedural records)
- Ports and interfaces (what information flows in and out of a cryptographic module)
- User roles, access levels, and authentication
- Finite state model (documentation of what states a module can occupy and when and why transitions are triggered)
- Physical security (tamper evidence and resistance)
- Operational environment (what operating system does a module use)
- Cryptographic key management (encryption generation, storage, lifecycle, and destruction)
- Electromagnetic compatibility (what systems is a module compatible with)
- Security tests (procedures outlining what tests must be completed and the consequences of failure)
- Module design (documentation that proves a module was designed to meet current industry standards)
- Attack mitigation (records proving a module has been designed to mitigate particular types of environmental attacks)
FIPS 140-2
FIPS 140-2 ensures that the hardware organizations utilize to store sensitive data and other protected information meets critical security specifications and key management requirements.
This second iteration of the FIPS publication series introduced the FIPS certification process, which is defined by four increasing, qualitative levels of security.
Qualitative Levels of Security
- Level 1: Requires organizations to utilize “production-grade” hardware, physical security mechanisms, and externally tested and approved algorithms
- Level 2: Adds additional requirements for physical tamper-evidence and role-based authentication. It also requires all operating systems to be approved by common criteria
- Level 3: Adds requirements for identity-based authentication and tamper-proof physical security functions (pick-resistant locks). It also requires a logical separation between the interfaces, enabling “critical security parameters” to enter and leave the module. Encryption keys that meet the Advanced Encryption Standard (AES) are also required during entrances and exits
- Level 4: Adds physical security requirements that will erase the contents of a device if the system detects severe vulnerabilities or cyber-attacks
FIPS 140-3
Overall, FIPS 140-3 expanded the scope of FIPS 140-2 to cover firmware and software in addition to hardware computer components. The FIPS 140-3 standard supersedes all FIPS 140-2 standards from its effective date in 2019. FIPS 140-3 also incorporates two existing standards (ISO 19790 and ISO 24759) to elevate its requirements for cryptographic modules and cryptographic algorithms.
With FIPS 140-3, NIST also updated several requirements within its qualitative security levels. Most notably, these updates included:
- Level 2 security clearance can now be achieved by software modules without common criteria dependency
- Level 2 security clearance now includes OS requirements that are similar to the criteria outlined in Common Criteria OSPP
- Level 3 security clearance now requires Environmental Failure Testing (EFT) or Environmental Failure Protection (EFP)
- Level 4 security clearance now requires Environmental Failure Protection (EFP) to meet voltage and temperature demands
- Level 4 security clearance now requires fault induction protection
- Level 4 security clearance now requires multi-factor authentication
Where Can I Learn More About FIPS 140-3?
The UpGuard blog, “What is FIPS 140-3? The Critical Updates You Must Be Aware Of,” includes additional information about FIPS 140-3. The blog also lists additional technical differences between FIPS 140-2 and FIPS 140-3.
Who Must Comply With FIPS 140?
The Federal Information Security Management Act (FISMA) requires various U.S. entities to maintain FIPS-compliant cryptographic modules. Canada has also adopted FIPS standards to validate cryptographic modules throughout several highly regulated industries.
Overall, the following groups are required to comply with FIPS 140 standards:
- U.S. government agencies and U.S. government contractors
- Canadian federal agencies and Canadian government contractors
- Third parties working alongside federal government agencies
- Cybersecurity organizations that market or sell to regulated industries
Additional industries, such as finance, healthcare, and other highly regulated practices, have also adopted FIPS standards because of the publication’s advanced focus on securing and protecting sensitive data.
When Will FIPS 140-2 Certificates Be Retired?
The U.S. Federal Government is currently establishing practices to validate all FIPS 140-2 certificates with the new standards outlined by FIPS 140-3. In addition, NIST announced that all FIPS 140-2 validations will be retired by September 2026.
How Can UpGuard Help with FIPS 140-3?
UpGuard Vendor Risk empowers organizations to achieve compliance across their digital supply chains. Users of UpGuard Vendor Risk can access UpGuard’s flexible vendor questionnaire library or configure custom questionnaires of their own using the platform’s intuitive and easy-to-use interface.
After sending and receiving vendor questionnaires, organizations can also utilize UpGuard’s remediation workflows to work alongside vendors to solve compliance issues and eliminate compliance risks.
Overall, UpGuard Vendor Risk enables organizations to elevate their third-party risk management programs through the use of powerful cybersecurity tools such as:
- Objective and up-to-date vendor security ratings
- Flexible and custom security questionnaires
- Comprehensive vendor risk assessments
- Powerful and intuitive remediation workflows and more
Start your UpGuard free trial right now. Or, discover how UpGuard helps organizations protect their internal and external attack surfaces by learning more about UpGuard’s robust cybersecurity solutions.