FIPS 140-2 standards
are supported for
SAS/SECURE and
Transport Layer Security (
TLS)
encryption technologies. FIPS 140-2 is not a technology, but a definition of what security mechanisms
should do. FIPS 140-2 is the current version of the Federal Information Processing
Standardization 140 (FIPS 140) publication. FIPS 140-2 is a standard that describes
US Federal government requirements that IT products should meet for Sensitive, but
Unclassified (SBU) use.
The standard defines
the security requirements that must be satisfied by a cryptographic
module used in a security system protecting unclassified information
within IT systems. FIPS 140-2 requires organizations that do business
with a government agency or department that requires the exchange
of sensitive information, to ensure that they meet the FIPS 140-2
security standards. In addition, the financial community increasingly
specifies FIPS 140-2 as a procurement requirement.
The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication
Series to coordinate the requirements and standards for
cryptography modules that include both hardware and software components. Federal agencies and
departments can validate that the module in use is covered by an existing FIPS 140-1
or FIPS 140-2 certificate. The certificate specifies the exact module name, hardware,
software, firmware, and applet version numbers. For more information, see
FIPS PUB 140-2 SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES.
There are four levels
of security: from Level 1 (lowest) to Level 4 (highest). The security
requirements cover areas related to the secure design and implementation
of a cryptographic module. These areas include basic design and documentation,
module interfaces, authorized roles and services, physical security,
software security, operating system security, key management, cryptographic
algorithms, electromagnetic interference or electromagnetic compatibility
(EMI/EMC), and self-testing.