FIPS 140-2 FAQ

What is FIPS 140-2?

The Federal Information Processing Standard 140-2 (FIPS 140-2), entitled “Security Requirements for Cryptographic Modules,” is a standard that describes government requirements for Sensitive but Unclassified (SBU) use that hardware and software products must meet. The standard was published by the National Institute of Standards and Technology (NIST), and has been adopted by the Canadian government’s Communications Security Establishment (CSE), and in the financial community through the American National Standards Institute (ANSI).

“The [FIPS 140-2] standard specifies the security requirements that must be satisfied by a cryptographic module utilized within a security system that protects unclassified information within computer and telecommunication systems including voice systems. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module, including basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.”

FIPS 140-2 is actually the third version of the FIPS 140 standard. NIST reviews the FIPS 140 standard every five years to determine if further updates are required. At this time, NIST only accepts applications for FIPS 140-2 certificates. However, the federal government may still purchase products previously evaluated for FIPS 140-1.

It is important to note that the FIPS 140-1 or 140-2 certificate applies only to that version of the product that was submitted for validation; all product updates are subject to re-evaluation against the current version of the standard.

How do you get on NIST’s Modules In Process List?

Many vendors wish to prove that they are in the process of FIPS 140-2 validation to demonstrate compliance for RFPs requiring a FIPS 140-2 product certificate. NIST posts a Modules In Process List of qualifying vendors on their website’s CMVP section. Participation on the list is voluntary and does not imply guarantee of final FIPS 140-2 validation. The list shows the status of the progress made as a product goes through validation and tracks five major stages of the evaluation process:

  1. Implementation Under Test (IUT)
    This stage shows that there is a contract in place with a testing lab, and that the lab has the cryptographic module they will be testing and all the documents needed in conjunction with the testing.
  2. Validation Review Pending
    This stage shows that the lab has completed the tests and submitted their report to NIST and CSE.
  3. Validation Review
    This stage tracks when reviewers within NIST and CSE have been assigned to the review, when the review is being performed, followed by comments that are then sent back to the lab.
  4. Validation Coordination (may be iterative)
    This is phase 2 of the lab’s involvement. They answer any questions that NIST or CSE may pose, perform additional testing if needed, produce additional documentation if needed, and resubmit the revised report.
  5. Validation Finalization
    The final step shows that NIST and CSE have accepted all of the answers and documents submitted from the lab, a certificate number is assigned and the actual certificate is being processed.

A great deal of work must be performed before the product can even begin to travel through this process. It must be thoroughly documented in the required format and sent to the lab for review. Therefore, it can take several weeks before a vendor is even eligible for posting to NIST’s Modules In Process List.

How do I get a product certified?

There are four steps to product certification:

  • Design and produce a product that is compliant with the FIPS 140-2 standard
  • Prepare extensive documentation required for certification
  • Submit the product and documentation to an accredited testing laboratory
  • Submit the lab’s successful test results to NIST and CSE for government approval

The first three steps can cost a lot in time, money, and resources. Corsec can help minimize the time, money, and resources required. On rare occasions, Corsec can facilitate faster government approval.

Why should I evaluate my products?

Sell to the US Government
FIPS version 140, 140-1 or 140-2 evaluation is required by the Federal government as a condition of purchase for any products that implement cryptography. Although not all agencies are aware of this, more and more RFPs, contracts, and specifications now require FIPS 140-2 certification as a prerequisite to bid on proposals. Previously, it was possible to obtain a signed waiver making a product exempt from these requirements for a limited amount of time. FISMA has limited the practice; waivers are now rarely issued.

Improve product security
Independent review and analysis of a product’s security against government standards for good security engineering may improve, measure or validate its strength. It is far less expensive to discover a product vulnerability during testing rather than after it is has gone to market. For this reason, FIPS 140-2 validation is often used as a marketplace discriminator as it provides a great way to measure product security.

Sell to the financial community
The ANSI group X9.F3 provides security standards for financial services and has drafted ANSI X9.66 as an adoption of FIPS 140-2. In addition, several other ANSI standards refer to FIPS 140-2, and groups such as Identrust require validation.

Many commercial standards used by the financial industry require data protection through security measures such as cryptography. It is likely that common business practice in the financial community will soon mandate higher levels of FIPS 140-2 certification for all cryptographic products. FIPS 140-2 validation would go a long way toward achieving compliance with the increasingly stringent requirements in this field.

Provide international assurance of security
There is currently no international standard that defines security engineering requirements for cryptographic modules. Many in the international community look at the published U.S. and Canadian requirements as an indicator and assurance of acceptable quality. This may eventually solidify into a Common Criteria protection profile that implements FIPS 140-2.

Competitive Advantage
As more vendors certify their products, FIPS 140-2 validation is rapidly becoming a requirement to enter or survive in the highly competitive security marketplace. Many vendors use FIPS 140-2 as a product discriminator, which pressures the competition to meet the same proven level of security in their products.

How do I know if my competitors have FIPS 140-2 validation or are in the process of undergoing evaluation?

You can review the current list of validated vendors to see who holds a FIPS product certificate.

You can also view the NIST Modules and Process List to see who is in the process of being evaluated for FIPS 140-2 compliance. Note that vendors who incorporate FIPS -alidated components into their products will not be represented on these lists. Only those companies that go through the testing process and receive certificates are listed. This also holds true for the NIST list of evaluated products on their website.

Vendors using a compliant cryptographic module in their products can request a “FIPS inside” logo to show that a FIPS validated component has been used in their product. Simply using a FIPS-validated module in a product will not always meet the government requirement for the purchase of FIPS-approved products. The same is true for products that use FIPS approved algorithms, considered to be a precursor to full FIPS 140-2 compliance.

What documentation is required for certification?

Documentation must include:

  • Non-Proprietary Security Policy
  • Finite State Machine
  • Master Components list
  • Software/Firmware module descriptions
  • Source code listing for all software and firmware within cryptographic boundary
  • Description of module roles and services
  • Description of key management lifecycle
  • Algorithm Conformance certificates (which alone are not sufficient for selling a product as FIPS 140-2 compliant).
  • FCC certificates for EMI/EMC compliance

Some of these documentation requirements are trivial, some are burdensome, and some only apply to hardware modules. The security policy must be a separate releasable document retained by NIST; all other documentation may be proprietary and submitted to the testing laboratory under an NDA. Because this documentation is company confidential, it is usually difficult to find examples to follow when creating your own documents.

How can I produce documentation?

If you haven’t yet begun development of a product, you can produce most of the needed documentation as a by-product of design and development. For a legacy product, your original developers can collaborate with someone who understands FIPS 140-2 requirements to produce a minimum set of documentation that meets the FIPS 140-2 standard.

To avoid delays in the testing process it is crucial that your documents are completed correctly the first time. Even products that contain no security flaws can fail the testing stage if documents are not submitted in a lab-approved format. Corsec offers expert guidance on thorough documentation of both legacy products and new designs, and the documentation can often be re-used in customer literature or user manuals. Outsourcing this process to Corsec frees up a significant amount of time and ensures that the submission package is complete and correct.

It is important to note that testing laboratories are strictly prohibited from producing documentation for products for which they test, in order to avoid a conflict of interest and the appearance of bias or impropriety.

How long does validation take?

After product submission, laboratories historically take between two months to over one year to evaluate products. After that, government agency review takes about six months.

The variability of the testing stage depends on:

  • Product complexity
  • The completeness and clarity of required documentation
  • How fast the vendor answers questions and resolves issues during testing
  • The current backlog of work at the lab or government agency

These factors only come into play after the product has been submitted for testing. There is an equal amount of work to be done in preparation for testing during product design review and documentation creation. Corsec offers services that mitigate delay and eliminate the learning curve, ensuring that product certification takes several months instead of years. The faster the product achieves validation, the faster you can go to market with that validation increasing revenue and realizing return on investment.

How much does validation cost?

There are three hard costs to consider for validation: the cost for the testing laboratory set by each individual lab; the cost to prepare document submission, which varies depending on the level of existing documentation and the author’s familiarity with FIPS 140-2 requirements; and NIST fees. (Due to the backlog caused by the deadline for FIPS 140-1 submissions, NIST now charges for issuing the certificate.)

You must also factor in the soft costs associated with the process: your internal resources tied up in the validation process including downtime of your engineers; product redesigns and document resubmissions if not completed correctly the first time. All of these factors can result in delays in your ability to sell to the federal market, and the cost of losing business to a FIPS-validated competitor must also be considered.

Expect to invest in the six figure range for successful FIPS 140-2 validation. While this cost may be prohibitive to smaller businesses or start-up companies, the high cost of entry illustrates a company’s integrity, commitment and willingness to invest the necessary funds to validate their security products, and instills trust with their customer base.

Corsec can help you evaluate the level of effort required to complete your FIPS 140-2 validation. Our security engineers have significant expertise in the evaluation of a wide range of products.

What are the four levels of FIPS 140-2?

The FIPS 140-2 standard defines four levels of security: Level 1, Level 2, Level 3, and Level 4, with Level 4 being the highest. Each level builds on the other;for example, a Level 4 device must generally meet all Level 1, 2 and 3 requirements in addition to the Level 4 requirements.

For example, many hardware modules require the following physical security:

  • Level 1: Production grade equipment
  • Level 2: Production grade equipment plus tamper-evidence
  • Level 3: Production grade equipment, tamper-evidence, plus tamper response or hardening
  • Level 4: Production grade equipment, tamper-evidence, tamper response or hardening, plus a tamper detection envelope

Another level discriminator is the type of authentication required:

  • Level 1: No authentication or role-based authentication
  • Level 2: Identity-based authentication
  • Level 3: Identity-based authentication

The standard itself has a full table of requirements at each level. Most of the effort required for validation is completed by meeting Level 1 requirements, with slightly more work required for Level 2 and again for Level 3. However, there is a large gap between what is required to meet Level 3 and Level 4, and Level 4 validated products are quite rare and expensive.

A common misconception is that the “-2” in FIPS 140-2 specifies a level 2 certificate. Actually, it specifies the version of the standard that NIST currently recognizes. FIPS 140-2 is the most current version of the validation standard; it superseded the FIPS 140-1 version in 2002.

Where can I find the FIPS 140-2 Standards?

Link to the three parts of the Standards here:

  • The actual FIPS 140-2 Standard defines the requirements in their highest form.
  • The Derived Test Requirements explains vendor responsibilities for the testing of FIPS 140-2 requirements, and the testing requirements to determine compliance.
  • Implementation Guidance posted on the NIST website, including document FAQs, decisions, policies, and updates to FIPS 140-2 testing and compliance.

The bulk of these documents adds up to hundreds of pages and will continue to grow as more guidance documents are issued.

How does FIPS 140-2 apply to Certificate Authorities?

FIPS 140-2 deals with the security engineering of cryptographic modules. The cryptographic module is a critical component of a certificate authority (CA), since it protects the essence of the CA (its private key, and signature ability). However, a CA has other security-critical portions such as security auditing, physical access control, backup and redundancy, and operating system security. These areas are not addressed by FIPS 140-2. Separate standards define CA security requirements, which include the use of FIPS 140-2 validated cryptographic modules.

A secure CA should include a cryptographic module that has been FIPS 140-2 validated to a level appropriate for the security offered in certificates issued by the CA. For financial applications, the GAO and members of ANSI have expressed the opinion that hardware cryptographic modules that meet Level 3 or higher are appropriate. Level 1 hardware cryptographic modules, or any level software module, may not provide suitable controls for operation of high-security CAs.

How can Corsec help me?

Corsec was founded by a former CMVP laboratory manager and former FIPS 140 evaluator, and employs expert security consultants and software developers. We put our expertise to work to expedite certification of your company’s products as we transfer knowledge to your design team, developers, and writers. We make the entire validation process faster, more efficient, thoroughly and expertly documented, so you achieve validation the first time. And because we work directly with NIST, CSE, and the NVLAP accredited testing laboratories, we know the entire certification process backwards and forwards.

Our services cover all phases of FIPS 140-2 including:

  • Designing a module to meet Level 1-4 requirements
  • Producing Finite State Machine documentation
  • Writing a non-proprietary Security Policy for FIPS 140-2 documentation
  • Preparing vendor evidence of how the module meets the requirements
  • Answering testing lab questions during certification testing
  • Assisting with algorithm testing

When you work with us, you simply provide all available product documentation and the actual product to be tested. We run our own tests and create our own documents to ensure that your product is ready for validation before we submit it to the lab. After completing our testing and documentation, our engineers are thoroughly knowledgeable with your product and can answer the lab’s numerous questions directly so your engineers don’t have to. This greatly limits the amount of time that your personnel must devote to the project.

Where do I start?

The best place to start with the validation process is with a Corsec 2-day workshop, during which time two Corsec experts visit your facility and conduct an in-depth evaluation and training session with your team, including C-level, engineers, product development, sales and marketing. The workshop covers the entire validation process and requirements.

At the end of the two-day course, Corsec provides a written report that evaluates your specific product as it relates to each validation standard. We also provide a roadmap of each milestone required to secure your validation, and a firm fixed price quote that covers our fee to have us manage your validation beginning to end. Should you decide to hire Corsec to provide this turn-key service, you’ll know up front the cost, timeframe and level of effort involved, and you’ll know that when we’re finished, you will have completed your successful product certification.

Can I copy this FAQ?

This FAQ is © 2012 Corsec Security, Inc.; all rights reserved. If you contact us and tell us how you want to use the FAQ, we will almost surely grant you permission to do so in writing.