Federal Information Processing Standards (FIPS) 140-2 is a U.S. standard for the security of cryptographic modules. It includes a broad set of security requirements covering everything from the physical security, cryptographic key management, roles and services, and cryptographic algorithm implementation that must be met before the cryptographic module can be approved as “validated”.
A cryptographic module includes all the hardware, software, and firmware components within a specified boundary that perform cryptographic operations. Examples of cryptographic modules are computer chips, cryptographic cards that go in a server, security appliances, and software libraries. A cryptographic module may, or may not, be the same as a sellable product. For example, a computer server doing cryptographic operations might have an internal crypto card that is the actual FIPS 140-2 validated crypto module.
Why FIPS 140-2 Certification is Important
Government agencies need to be able to trust that the products they purchase are performing cryptographic operations properly and in a secure manor. Rather than have each government agency evaluate each crypto product, the FIPS 140-2 system was implemented so that once a product is FIPS 140-2 validated, government agencies could procure any validated crypto module knowing that is secure.
FIPS 140-2 evaluation is required for sale of products implementing cryptography to the U.S Federal Government. Beyond the U.S. government, any company who has a requirement for HIPAA, FISMA, or FedRAMP requires FIPS 140-2 certification. In addition, the financial community increasingly specifies FIPS 140-2 as a procurement requirement and is beginning to embrace it as a standard for their deployments.
FIPS 140-2 Security Levels
Level 1 provides the lowest level of security and only basic security requirements are specified for a cryptographic module. Level 1 allows software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system. Most, if not all, software based crypto modules can only achieve a Level 1 certification.
Level 2 enhances the physical security mechanisms of a Level 1 and adds a requirement for tamper evidence. Level 2 requires, at a minimum, role-based authentication.
Level 3 builds upon the physical security mechanisms to ensure a high probability of detecting and responding to tamper attempts. Level 3 also requires identity-based authentication and the entry or output of plaintext ports to be physically separated, or have interfaces that are logically separated using a trusted path.
Level 4 physical security mechanisms provide a complete envelope of protection around the cryptographic module including environmental protections outside of the module’s normal operating range.
SafeNet AT FIPS 140-2 Certifications
|Certificate Number||Module Name||Security Level|
|2500||Luna G5 Cryptographic Module||FIPS 140-2 Level|
|2489||Luna PCI-E Cryptographic Module & Luna PCI-E Cryptographic Module for Luna SA||FIPS 140-2 Level 3 for PCI-E HSM, and embedded PCI-E in Luna SA HSM and KeySecure G460|
|2488||Luna PCI-E Cryptographic Module & Luna PCI-E Cryptographic Module for Luna SA||FIPS 140-2 Level 2 for PCI-E HSM, and embedded PCI-E in Luna SA HSM|
|2487||Luna G5 Cryptographic Module||FIPS 140-2 Level 2|
|2486||Luna Backup HSM Cryptographic Module||FIPS 140-2 Level 3|
|2049||SafeNet Software Cryptographic Library||FIPS 140-2 Level 1 for SSCL component in the KeySecure and Connector product lines|
NIST Special Publication 800-53 Rev. 4 outlines Security Controls and Assessment Procedures for Federal Information Systems and Organizations. Control SC-13 Cryptographic Protection in SP800-53 calls out for cryptographic protection and states that generally applicable cryptographic standards include FIPS-validated cryptography (i.e. use of FIPS 140-2 validated crypto modules) or NSA-approved cryptography. There are a number of other controls such SC-28 Protection of Information at Rest, SC-8 Transmission Confidentiality, and IA-7 Cryptographic Module Authentication that are often tailored to require the use of cryptography and thus trace back to SC-13 and the requirement for a FIPS 140-2 validated module.
The DoDIN APL process guide states that all products providing cryptographic-based security per applicable Federal Law and STIG requirements must be certified to FIPS 140-2 standards per the Cryptographic Module Validation Program (CMVP). Products that are required to have a FIPS 140-2 certification must already be FIPS 140-2 certified or proven to be in process for FIPS 140-2 certification prior to being accepted into the DoDIN APL process.
FISMA includes a requirement to utilize security controls and state that organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST SP800-53. It also states that FIPS 140-2 encryption is considered an appropriate control to protect data in all states (i.e. at rest, in motion) and for all types of applications (e.g. data storage, transmission between systems, remote access, wireless access, etc.).
FedRAMP Security Controls outlines specific security controls that Cloud Service Providers (CSPs) must adhere to when providing cloud-based services to the government. These controls are for the use of encryption for access control, encryption of data at rest, data separation, storage media sanitization, and the use of FIPS 140-2 cryptography.
The Health Insurance Portability and Accountability Act (HIPAA) recommends products certified for the FIPS 140-2 encryption standard to protect healthcare data.
CSfC specifies that the vendor’s product must be, among other things, FIPS certified, and that CSfC components must have completed CAVP testing.