What is FIPS 140-2:

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions. In U.S. government procurement, all solutions that use cryptography must complete FIPS 140-2 validation to ensure end users receive a high degree of security, assurance, and dependability.

Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems must use products that have completed FIPS validation.

Products sold into the U.S. federal government are required to complete FIPS 140-2 validation if they use cryptography in security systems that process sensitive but unclassified information.

FIPS Process no CTA

Timeframe and Process:

A typical FIPS validation can take years to complete without proper guidance and preparation. When done correctly, your validation will remain valid for up to five years. With Corsec’s regularly scheduled maintenance, your team will avoid de-listing and other common pitfalls to revalidation.

Corsec - Fips 140-2 Timeframe and Process

The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing requirements for FIPS 140-2. Corsec’s comprehensive services and a patented testing system help you successfully complete FIPS validation.

FIPS Validated vs FIPS Compliant/FIPS Inside:

FIPS compliant is a self designated term and has no government backing. It is sometimes used in reference to a product that has used FIPS approved algorithms or libraries, but has not actually gone through the necessary steps to verify and test that the product is using them correctly. It does not hold any weight nor can you claim you have completed FIPS 140-2 Validation.

FIPS Inside generally refers to a product that has incorporated another company’s cryptographic module which went through the FIPS validation process for itself. Although the cryptographic module that was dropped in has gone through validation, the overall product still has not yet been validated.

FIPS Validated asserts that your specific solution has gone through the entire FIPS 140-2 process, giving you a certificate of your own issued by NIST (the government).

It is proof that your product has been tested and meets the legal procurement requirements passed by Congress for the U.S. government and different industries, including healthcare, financial services, and critical infrastructure.

Have question on the timeframe, costs, and resource requirements for your product’s validation?