LLMpediaThe first transparent, open encyclopedia generated by LLMs

FIPS 140-2

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Azure AI Hop 4
Expansion Funnel Raw 80 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted80
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
FIPS 140-2
NameFIPS 140-2
TitleFederal Information Processing Standard Publication 140-2
StatusWithdrawn / Superseded
Issued2001
Superseded byFIPS 140-3

FIPS 140-2 is a United States Federal Information Processing Standard that specifies security requirements for cryptographic modules used within National Institute of Standards and Technology and National Security Agency-related systems, and by agencies such as Department of Defense and Department of Homeland Security. Originating during the tenure of Bill Clinton and shaped amid policy debates involving Office of Management and Budget and Congressional Research Service, the standard influenced procurement practices at institutions including Federal Aviation Administration and Securities and Exchange Commission. Widely referenced by vendors like IBM, Microsoft, Cisco Systems, and Oracle Corporation, it remained central to evaluations conducted by laboratories such as NIST Cryptographic Module Validation Program and accredited test labs like National Voluntary Laboratory Accreditation Program.

Overview

FIPS 140-2 defines requirements for cryptographic modules covering physical, operational, and procedural security controls used by agencies such as Department of Energy, Department of Justice, and Department of the Treasury. The standard was drafted in coordination with entities including NIST, NSA, and stakeholders from companies like Intel Corporation and ARM Holdings, and it influenced international standards from International Organization for Standardization and European Telecommunications Standards Institute. FIPS 140-2 established a common baseline applicable across technologies from vendors such as Hewlett-Packard, Juniper Networks, Amazon Web Services, and Google LLC, and it intersected with legislative acts like the Federal Information Security Management Act.

Security Requirements and Levels

FIPS 140-2 specifies requirements grouped into areas including physical security, cryptographic key management, role-based authentication, and self-tests used by manufacturers like Thales Group and Gemalto. The standard defines four security levels adopted by products from Cisco Systems, Fortinet, Palo Alto Networks, and Broadcom Inc., reflecting protections comparable to practices in National Institute of Standards and Technology Computer Security Division evaluations and guidance used by agencies such as Central Intelligence Agency and National Aeronautics and Space Administration. Implementation of requirements often references algorithm guidance from National Institute of Standards and Technology Computer Security Resource Center and compliance expectations influenced by case law involving United States Court of Appeals for the Federal Circuit.

Validation and Certification Process

Validation under FIPS 140-2 was administered through the Cryptographic Module Validation Program coordinated by NIST and operationalized by test labs accredited through NVLAP. Vendors such as RSA Security, Entrust, Symantec Corporation, and McAfee submitted modules for testing that assessed conformance to requirements defined by panels including representatives from Department of Defense test centers and independent laboratories like Galois, Inc.. Certificates issued after validation were recorded in lists maintained by NIST and referenced by procurement officers at organizations including United States Postal Service and National Oceanic and Atmospheric Administration.

Approved Algorithms and Modules

FIPS 140-2 required use of approved algorithms such as Advanced Encryption Standard, Secure Hash Algorithm 1, Secure Hash Algorithm 2, and Digital Signature Standard implementations from vendors like RSA Security and Elliptic Curve Cryptography suites promoted by standards bodies including Internet Engineering Task Force and Institute of Electrical and Electronics Engineers. Modules implementing standards from X.509 infrastructures, Transport Layer Security libraries, and hardware security modules produced by firms like Thales Group and Gemalto were commonly certified. The approved algorithm list influenced software libraries from OpenSSL Project, Bouncy Castle, and LibreSSL used in systems operated by NASA, NOAA, and U.S. Department of State.

Implementation and Use Cases

Adoption of FIPS 140-2 shaped deployments across sectors, with implementations in products from Cisco Systems, Juniper Networks, IBM, and Hewlett-Packard Enterprise used by agencies like Department of Veterans Affairs and Internal Revenue Service. Use cases included secure VPN gateways, hardware security modules in financial systems operated by Federal Reserve System and SWIFT, and device-level encryption in mobile platforms from Apple Inc. and Samsung Electronics. Cloud service providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform referenced FIPS 140-2 validated modules for services consumed by Department of Defense and commercial enterprises like Bank of America and JPMorgan Chase & Co..

Transition to FIPS 140-3

The transition from FIPS 140-2 to FIPS 140-3 involved harmonization with international standards including those of ISO/IEC JTC 1/SC 27, and coordination among NIST, NSA, and stakeholders such as National Institute of Information and Communications Technology and industry consortia including Open Group. FIPS 140-3 introduced updated requirements aligned with contemporary cryptographic practices discussed in forums like RSA Conference and Black Hat USA, affecting vendors such as Cisco Systems, IBM, and Microsoft Corporation and prompting re-evaluation programs managed by NIST and NVLAP-accredited laboratories.

Category:Cryptography standards