FAQ: What is FIPS 140-2 and “Validated Cryptography”?

What is FIPS 140-2

As time marches on and technology develops, there’s a constant push and pull between information security and attempts to breach that security. Obscurity – simply hiding from sight – isn’t enough with automated processes capable of scanning any possible address looking for signs of life, so much of modern computer security comes down to cryptography.

Pretty much everyone has some experience with cryptography, from our childhood spy media to modern computer science. It’s a world full of advanced math, logical processes, and constant attacks. The US government uses cryptography to secure information against attacks from other countries and independent hacking groups, and that cryptography needs to live up to certain standards.

Those standards are outlined in FIPS 140-2 and its successor, FIPS 140-3. What are they? What is FIPS? What do you need to know, and do these standards apply to you? Let’s go through the most common questions. We won’t be getting into the weeds with deep, specific cryptography knowledge but rather the overall governmental frameworks and regulations, which is what really matters to any service provider looking to achieve certification to work with the government.

What is FIPS?

FIPS stands for the Federal Information Processing Standards. It’s an umbrella term that refers to a wide range of computer and information security standards developed by the US federal government. These standards are required by FISMA, the Federal Information Security Management/Modernization Act. They are developed by our favorite organization, the National Institute of Standards and Technology (NIST), and are approved by the secretary of commerce.

FISMA is part of the overall NIST Risk Management framework, or RMF.

FIPS governs a wide range of different aspects of information security and cybersecurity, including interoperability, physical hardware, and cryptography. The goal isn’t just to secure a system against intrusion – after all, locking a computer in a safe and burying that safe in concrete would be pretty secure – but to make sure that authorized parties can access it without obstruction.

What is FIPS

There are a lot of different FIPS sections. For example:

  • FIPS 137, the Federal Standard for Linear Predictive Coding
  • FIPS 140, the Security Requirements for Cryptographic Modules
  • FIPS 197, for rules regarding the AES Cipher
  • FIPS 199, the Standards for Security Categorization of Federal Information and Information Systems
  • FIPS 201, the Personal Identity Verification for Federal Employees and Contractors Standards

Today, of course, we’re focused on 140-2, the Security Requirements for Cryptographic Modules document. The full publication can be found here.

Who Has to Care About FIPS?

FIPS is a sort of middle-ground set of standards.

The highest importance in government – the classified and top secret information – is controlled by much higher standards. The same goes for the Department of Defense in general, all military agencies, and their various subcontractors and branches. These all tend to have high standards due to their level of importance and the potential disasters that could occur if they’re breached.

On the flip side, your regular everyday business, from retail outlets to fast food chains to service providers, doesn’t really have to live up to those same standards. There are industry standards, like ISO documents, that can provide enough cybersecurity protection to keep the business generally safe, though they often fall short. Cybercrime is rampant and is estimated to cost over $10 trillion around the world by next year.

A Government Agency

While private businesses can adhere to FIPS, they aren’t required to. So, who must adhere to FIPS? It’s the groups in the middle: government agencies, contractors, vendors, cloud service providers, and other businesses working with the government but which aren’t part of the defense network, aren’t defense contractors, and aren’t generally subject to those higher security levels.

If you manage a government program, like unemployment insurance, student loans, or healthcare support like Medicaid, or are a cloud service provider offering services to the government, you are beholden to FISMA and thus FIPS.

Anyone “below” this level on the list – such as private-sector businesses with no government contracts or attachments – can still decide to comply with FIPS if they want to. It’s not mandatory, but given that FIPS is considered to be an up-to-date and useful cybersecurity standard and framework, many businesses choose to adopt it anyway.

What is the Difference Between FIPS 140-2 and FIPS 140-3?

If you’ve browsed the FIPS cybersecurity framework documents, you may have noticed that there are two with the same subtitle regarding cryptographic modules: FIPS 140-2 and FIPS 140-3. Are they contradictory, complementary, iterative, or what?

Essentially, FIPS 140-3 is an updated successor to FIPS 140-2. Rather than simply edit FIPS 140-2, the government has decided to create a new document to ease the transition. This way, they can implement all of their new standards at once, maintain both documents and maintain certification for FIPS 140-2 for a while. Agencies, contractors, and businesses can still achieve FIPS 140-2 certification, but they can also choose to pursue FIPS 140-3 certification instead.

Eventually, FIPS 140-2 will be retired and will be entirely replaced with FIPS 140-3. Currently, the plan for that transition point is September 21, 2026. That’s the scheduled timeline for when FIPS 140-2 validations will be moved to the historical list, and agencies, companies, and other entities will need to make sure they are certified with FIPS 140-3 instead.

FIPS 140-2 and FIPS 140-3

In tangible terms, what is the difference between FIPS 140-2 and FIPS 140-3? Primarily, FIPS 140-2 deals with hardware cryptography. FIPS 140-3 expands this to include firmware, software, and hybrid modules as well.

  • FIPS 140-3 requires the use of AES 128 or higher algorithms for encryption and sets older algorithms, like SKIP JACK, as legacy-only decryption systems.
  • FIPS 140-3 requires that digital signature generation be equal to or greater than 112 bits.
  • FIPS 140-3 includes additional guidance for the use of hash functions.

Because FIPS 140-3 applies to software and hybrid rather than just hardware cryptography, this also expands the number of businesses and agencies that can apply for validation.

Is There a FIPS 140-4?

Currently, no. Generally, the government and NIST try to keep their standards up to date by pushing updates every couple of years, gradually improving standards, and reacting to changes in prevailing technology. Major changes, like replacing FIPS 140-2 with FIPS 140-3, only happen when there’s a significant enough change that simple updates would be a major burden on already-certified entities to adjust to.

Is There a FIPS 140-4

That said, it’s not impossible for NIST to develop FIPS 140-4 over time. Since FIPS 140-3 doesn’t come fully into effect for another nearly two years, however, it will likely be quite some time – or a significant change in technology, like the advent of quantum computers – to require such a large jump to a new FIPS standard.

What Are the FIPS Security Levels?

Both FIPS 140-2 and FIPS 140-3 define four different levels of security according to how secure an entity can be considered to be based on their adherence to the cryptographic standards. These are qualitative levels meant to cover a wide range of potential applications of cryptography.

FIPS Security Levels

Security Level 1 is the lowest and least secure level of cryptographic security specified by FIPS 140-2/3. This requires at least one approved algorithm or function but no specific physical security mechanisms. This is mostly available to personal computers with encryption and other low-level security applications.

  • Requires validation of at least one approved algorithm or function.
  • Requires production-grade components.

Security Level 2 increases the physical security requirements, primarily by adding a requirement to have tamper-evident coatings, seals, or other protection. This also requires role-based authentication with a specific level of cryptographic protection and places some restrictions on how a module can be executed on a general-purpose system.

  • Requires all Security Level 1 requirements.
  • Requires role-based authentication and physical security tamper evidence.

Security Level 3 increases physical security requirements and adds requirements for detection and reaction. Physical security, tamper detection, tamper response circuitry that can even wipe data on a system, and more are all listed. Authentication is more stringent as well.

  • Requires all Security Level 2 requirements.
  • Requires identity-based authentication, tamper detection, and tamper response in physical security.

Security Level 4 is the highest level of security defined by FIPS 140-2. It has much more stringent requirements for physical security, reaction to intrusion, and more.

  • Requires all Security Level 3 requirements.
  • Requires additional detection and response to physical and environmental attacks.

As usual, all of the specific definitions can be found in the actual FIPS 140-2 document. Feel free to reference it at your leisure. Additionally, the security standards and levels are largely the same for FIPS 140-3, except 140-3 also refers to software rather than just hardware systems.

Should You Pursue FIPS 140-2 Validation?

This is an interesting question with a two-part answer.

First, this is the question of whether or not you should pursue validation at all. The answer comes down to two factors. First, are you an agency or contractor working with the government, or do you wish to pursue government contracts? If so, chances are good that you’ll need to implement FIPS 140-2 either on its own or as part of another overall security and compliance framework.

Conversely, if you are not a government contractor or agency, and you have no desire to work with the government (or are ineligible to for one reason or another), then you don’t need to pursue FIPS 140-2. There are other cybersecurity frameworks you can choose to follow instead, which are generally easier to implement and certify and less costly to manage.

Pursuing FIPS 140-2 Validation

The second question is whether you should implement FIPS 140-2 or skip ahead to FIPS 140-3.

In our opinion, the latter option is best. FIPS 140-3 is a more robust set of standards, encompassing a wider degree of modern technologies and encompasses a greater number of potential businesses and agencies. Some businesses may not be able to validate with FIPS 140-2 but can with FIPS 140-3.

It’s also a way to future-proof your validation. If you start now, it can take months to audit, review, plan, and implement compliance for FIPS 140-2. If it takes you six months, that leaves you with only a year and change to enjoy FIPS 140-2 validation before the document and related validations are retired, and you’ll be forced to upgrade to FIPS 140-3 anyway. You can also learn the differences between FPS Certified vs. Compliant vs. Validated here.

When is FIPS 140-2 Compliance Required?

As mentioned previously, FIPS 140-2 is often required as part of other government security frameworks. While you can identify and adhere to FIPS 140-2 requirements on your own with no outside pressure, if you intend to work with the government in other ways, chances are that FIPS 140-2 is just one part of a much larger overall set of compliance measures you’ll need to take.

FIPS 140-2 Compliance Required

The two most common are FedRAMP and CMMC. Organizations and CSPs that need to follow the CMMC framework will be required to use FIPS-validated cryptographic modules where cryptography is used and controlled, unclassified information is handled. Similarly, organizations that need to follow FedRAMP standards will be required to use FIPS-validated cryptography, particularly in security controls SC-8, SC-8(1), and SC-28. You can read more about this here.

Helping You Achieve Security Compliance

Whether you’re a new MSP or CSP looking to achieve compliance and certification so you can work with the government, or you’re an old agency looking to update and upgrade, or even if you’re not affiliated with the government but still want to pursue the same standards of security, you’ve come to the right place. Here at Ignyte, we’ve developed a platform that helps you with auditing and data harvesting, so you can go through all of the many factors related to security and compliance from one central dashboard.

The Ignyte Platform

Whether you need to start from scratch, simply streamline your data collection and reporting, or speed up the entire process, we have you covered. All you need to do is book a demo, and you’ll be well on your way. And if you have any questions about our platform, security standards, FIPS and cryptography, or anything else relating to modern security, feel free to ask!

Additionally, if you’re in need of any further information about FIPS, FedRAMP, FISMA, ITAR, or anything else related to security and compliance standards, we highly urge you to check out our other articles. With a plethora of information available to you, you’re bound to find something useful for your particular situation. And all this knowledge comes for free! So, be sure to peruse our articles page and see what we have to offer.

Stay up to date with everything Ignyte

Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More