LLMpediaThe first transparent, open encyclopedia generated by LLMs

FIPS 140

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Federal Information Processing Standards Hop 4
Expansion Funnel Raw 18 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted18
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
FIPS 140
TitleFederal Information Processing Standard 140
AbbreviationFIPS 140
StatusCurrent
OrganizationNational Institute of Standards and Technology
RelatedISO/IEC 19790, Common Criteria

FIPS 140. The Federal Information Processing Standard 140 is a U.S. government standard that specifies the security requirements for cryptographic modules used to protect sensitive information. Issued by the National Institute of Standards and Technology, it provides a benchmark for validating the design and implementation of these modules across four increasing levels of security assurance. The standard is critical for federal agencies and is widely adopted by the private sector, influencing the development and certification of hardware and software security products globally.

Overview

The standard defines a cryptographic module as the set of hardware, software, and firmware that implements approved security functions, such as encryption or digital signatures. It establishes requirements across several security domains, including cryptographic key management, physical security, and operational controls. Compliance is intended to assure organizations like the Department of Defense and the Internal Revenue Service that a product meets rigorous government benchmarks. The framework is harmonized with international standards like ISO/IEC 19790 and is often referenced in conjunction with other evaluation schemes such as the Common Criteria.

History and versions

The initial version, FIPS 140-1, was published in 1994, succeeding earlier ad-hoc validation processes for government communications security equipment. A significant revision, FIPS 140-2, was released in 2001, introducing more detailed requirements and becoming the basis for validation for nearly two decades. The development of FIPS 140-3 began in the 2010s to align more closely with ISO/IEC 19790 and address evolving cryptographic threats. After a lengthy process involving public comments and industry feedback, FIPS 140-3 was officially approved in 2019, with a transition period allowing for validation under the new standard.

Security requirements

The standard outlines requirements across eleven distinct areas, with each higher level offering increased security. These areas include cryptographic module specification, ports and interfaces, roles and services, and finite state model. Physical security requirements range from basic production-grade components at Level 1 to tamper-evident enclosures at Level 2 and tamper-responsive mechanisms at Level 3; Level 4 provides protection against sophisticated environmental attacks. Other critical areas cover identity-based authentication, sensitive parameter management, and mitigation of attacks, with higher levels mandating formal modeling and testing against specified vulnerabilities.

Validation process

Validation is conducted through the Cryptographic Module Validation Program, a joint effort between NIST and the Communications Security Establishment of Canada. Independent, accredited commercial laboratories, such as those operated by Atsec Information Security or UL, perform rigorous testing against the standard's requirements. Vendors submit their modules for testing, and upon successful completion, the module is listed on the official validation lists maintained by NIST. This government-recognized certification is often a prerequisite for products sold to agencies like the Department of Homeland Security and is referenced in procurement regulations.

Impact and adoption

The standard has had a profound impact on the global information security industry, becoming a de facto requirement for cryptographic products used in finance, healthcare, and critical infrastructure. Its validation is mandated for all federal systems that use cryptography, as per directives from the Office of Management and Budget. Major technology firms, including Microsoft, Cisco Systems, and IBM, routinely seek validation for products like the Windows operating system and network security appliances. The program's influence extends internationally, with many countries recognizing its validations or aligning their own standards, such as those from the Bundesamt für Sicherheit in der Informationstechnik, with its requirements. Category:Computer security standards Category:National Institute of Standards and Technology Category:United States federal computing standards