NIST Special Publication 800-53 Rev. 4
NIST Special Publication 800-53 Rev. 4 outlines Security Controls and Assessment Procedures for Federal Information Systems and Organizations. Control SC-13 Cryptographic Protection in SP800-53 calls out for cryptographic protection and states that generally applicable cryptographic standards include FIPS-validated cryptography (i.e. use of FIPS 140-2 validated crypto modules) or NSA-approved cryptography. There are a number of other controls such SC-28 Protection of Information at Rest, SC-8 Transmission Confidentiality, and IA-7 Cryptographic Module Authentication that are often tailored to require the use of cryptography and thus trace back to SC-13 and the requirement for a FIPS 140-2 validated module.
Department of Defense Information Network Approved Product List (DoDIN APL)
The DoDIN APL process guide states that all products providing cryptographic-based security per applicable Federal Law and STIG requirements must be certified to FIPS 140-2 standards per the Cryptographic Module Validation Program (CMVP). Products that are required to have a FIPS 140-2 certification must already be FIPS 140-2 certified or proven to be in process for FIPS 140-2 certification prior to being accepted into the DoDIN APL process.
Federal Information Security Management Act (FISMA)
FISMA includes a requirement to utilize security controls and state that organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST SP800-53. It also states that FIPS 140-2 encryption is considered an appropriate control to protect data in all states (i.e. at rest, in motion) and for all types of applications (e.g. data storage, transmission between systems, remote access, wireless access, etc.).
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP Security Controls outlines specific security controls that Cloud Service Providers (CSPs) must adhere to when providing cloud-based services to the government. These controls are for the use of encryption for access control, encryption of data at rest, data separation, storage media sanitization, and the use of FIPS 140-2 cryptography.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) recommends products certified for the FIPS 140-2 encryption standard to protect healthcare data.
Commercial Solutions for Classified (CSfC)
CSfC specifies that the vendor’s product must be, among other things, FIPS certified, and that CSfC components must have completed CAVP testing.