FIPS 140-2

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware and software products. FIPS 140-2 provides stringent third-party assurance of security claims for product sold in the United States and Canada.

Corsec Certifications - FIPS 140-2 Markets

Why Get FIPS 140-2 Validated:

The FIPS 140-2 standard is mandated by law in the U.S. and very strictly enforced in Canada, for all products used in security systems that process sensitive but unclassified information. FIPS 140-2 validation provides product users with a high degree of security, assurance, and dependability. For U.S. government procurement, products using cryptography for secure remote management, data encryption, digital signatures, information protection, and more, must complete FIPS 140-2 validation. FIPS 140-2 is gaining worldwide recognition as an important benchmark for encryption products of all kinds.

FIPS 140-2 Background:

FIPS 140-2 is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. It is also currently being reviewed by ISO to become an international standard.

FIPS 140-2 Common Questions

How Do I Get FIPS 140-2 Validated?

In order to receive FIPS 140-2 validation, an accredited testing laboratory must evaluate the product to ensure compliance. Typically FIPS 140-2 compliance requires product changes, documentation development, laboratory testing and government oversight. There are three major phases in the process.

Phase 1: Design and Documentation

The amount of time to properly design and document a product varies greatly, depending upon the nature of the changes required and the maturity level of the product being evaluated. However, this phase of the process is the one that product vendors can most control. Many products require only small changes to meet FIPS 140-2 requirements. Some product manufacturers are able to integrate the design and documentation phase into a regular product release cycle. Assuming ideal circumstances, Corsec recommends planning for approximately three months for this effort.

Phase 2: Laboratory Testing

The amount of time that laboratory testing of an individual product takes directly depends upon how well the product was designed and documented. A product that properly meets the requirements and is delivered to the testing laboratory with all required documentation written correctly can move through testing in two to three months. There is no maximum time it can take for a product to successfully complete testing. Corsec recommends ensuring your product meets all requirements prior to entering the testing phase of FIPS 140-2.

Phase 3: Government Review

Once the testing laboratory completes its testing of a product, a report is submitted to the Cryptographic Module Validation Program (CMVP) for review. This governmental body is a joint United States and Canadian organization that reviews all test reports for compliance. The amount of time this review takes depends upon the current length of the test report queue and can range from anywhere between two to eight months. Additional time may also be required if problems with the product are discovered during the review.

How much does FIPS 140-2 Validation cost?

FIPS 140-2 validation costs vary greatly, depending upon the complexity of the product and the level of certification sought. Additionally, poor planning and failure to properly execute a plan have resulted in some staggering sums being spent on validation efforts. Figuring out how much a certification will cost is one of the most important activities when planning an evaluation effort.

How Long Does a FIPS 140-2 Validation Take?

A typical FIPS 140-2 validation effort will take anywhere from eight to twelve months from start to finish. This will depend heavily on certainfactors: ROI, Cost, Product Changes, Certification Options, Timing, Customer Requirements, New Business Areas, and a Competitive Analysis.

What is the difference between FIPS 140-2 Validated and Compliant

There is a substantial difference between claiming your product is FIPS 140-2 compliant versus FIPS 140-2 validated.

FIPS Compliant refers to a product that has incorporated within its design another company’s cryptographic module that went through the FIPS validation process. It does not hold as much weight as being able to claim FIPS 140-2 Validation.

FIPS Validated means the vendor has gone through the entire FIPS 140-2 evaluation process and has a certificate of their own issued by the government. Further, the product meets the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and different industries, including healthcare, financial services and critical infrastructure.


What Now:

Corsec offers solutions to help clients better understand how and what certifications are right for each product. We can help determine the best path to FIPS 140-2 validation given your product’s unique market drivers, competitive landscape and primary goals.

You can also download the Corsec FIPS Inside White Paper

Corsec FIPS 140-2 Process

Call Corsec +1 703 267 6050