What Is FIPS 140-2:

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions. In U.S. government procurement, all solutions that use cryptography must complete FIPS 140-2 validation to ensure end users receive a high degree of security, assurance, and dependability.

Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems must use products that have completed FIPS validation.

Products sold into the U.S. federal government are required to complete FIPS 140-2 validation if they use cryptography in security systems that process sensitive but unclassified information.

FIPS 140-2 PDF               FIPS 140-2 Myths

Timeframe and Process:

A typical FIPS validation takes up to 12 months and will remain valid for up to five years. With Corsec’s regularly scheduled maintenance, your team will avoid de-listing and other common pitfalls to revalidation.

The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing requirements for FIPS 140-2. Corsec’s comprehensive services and a patented testing system help you successfully complete FIPS validation.

Turnkey Solution               Turnkey Infographic

Corsec - Fips 140-2 Timeframe and Process

FIPS Validated, FIPS Inside, and FIPS Compliant:

There is a substantial difference between having your product achieve FIPS 140-2 validation and claiming your product is FIPS 140-2 compliant.

FIPS compliant is a self designated term and has no government backing. It is sometimes used in reference to a product that has used FIPS approved algorithms or libraries, but has not actually gone through the necessary steps to verify and test that the product is using them correctly. It does not hold any weight nor can you claim you have completed FIPS 140-2 Validation.

FIPS Inside generally refers to a product that has incorporated another company’s cryptographic module which went through the FIPS validation process for itself. Although the cryptographic module that was dropped in has gone through validation, the overall product still has not yet been validated.

FIPS Validated asserts that your specific solution has gone through the entire FIPS 140-2 process, giving you a certificate of your own issued by NIST (the government). Further, your product has been tested and meets the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and different industries, including healthcare, financial services and critical infrastructure.

For more details, review our White Paper:

FIPS Inside White Paper                FIPS Blog Posts

Have question on the timeframe, costs, and resource requirements for your product’s evaluation?