What is FIPS 140?

Information security is paramount in the Cloud Computing business. For anyone learning about, planning on moving to, or already in the Cloud, it’s important to know about FIPS 140 certification and the role it plays for information security. What does it mean when software and hardware is FIPS 140 certified? The National Institute of Standards and Technology (NIST) established FIPS 140, short for Federal Information Processing Standard, as a US Government standard and general requirement for any security equipment/system (hardware, firmware, software, or a combination) used by agencies to protect sensitive yet unclassified information. Cryptographic modules themselves, as well as their documentation and source code elements, are included in these standard requirements. FIPS 140 requirements include four security levels and eleven requirement areas: 4 Security levels

  • Level 1: The lowest of the levels, Level  1 specifies basic security requirements for a cryptographic module. No physical security is required, beyond production-grade equipment.
  • Level 2: Security Level 2 improves upon Level’s 1 physical security requirements and also uses role-based authentication.
  • Level 3: Level 3 employs further-enhanced physical security, identity-based authentication, and stronger requirements for entering/outputting critical security parameters.
  • Level 4: With the highest security standards of the levels, most existing products do not meet Level 4 security requirements.  It is the most useful for operation in a physically unprotected environment (where an intruder could tamper with the device), and also protects a module against environmental safety concerns, such as extreme voltage and temperature.

11 Requirement areas:

  • Cryptographic module specification: What requires documentation
  • Cryptographic module ports & interfaces: What information moves in/out and how it should be separated
  • Roles, services, & authentication: Who does what with the module, and how it’s checked
  • Finite state model: which high-level states can the module be in, and transition explanation
  • Physical security: resistance against tampering and environmental conditions
  • Operational environment: type of operating system used
  • Cryptographic key management
  • EMI/EMC: Electromagnetic Interference/compatibility
  • Self-tests: what and when to test, and what to do if a test fails
  • Design assurance: what documentation is necessary to show it was well-designed and implmented
  • Mitigation of other attacks

User agencies need to confirm that modules in use are covered by a FIPS 140 validation certificate, which specifies the module name, equipment, and version numbers. Vendors do not always maintain their baseline validations, so it is important to ensure their certifications comply with standards to keep your data secure.