Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Data encryption - What does FIPS 140-2 stand for and why do I care?

Keith AlabasterEnterprise Architect
FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypting data. There are four levels under the 140-2 mandate and these - according to wikipedia - are:

FIPS 140-2 Level 1 is the entry point and roughly speaking means that components of a system must be "production-grade" and obvious kinds of insecurity must be absent.

FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

Full details of the standards themselves can be found here:

Great blurb - but why should you care? Good question....

The reason is that these standards are actually in place and slowly but surely solution providers are being asked to confirm that their application, system or service either natively or can, through configuration settings, adhere to them.

The definition I work with is this:
Within the US Federal government, the FIPS 140-2 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements.

The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g., Digital Cinema Systems Specification).

A number of examples closer to our area of concern exist of applications or systems that provide this functionality including Windows 7, inside the new 'Bitlocker To Go' feature. Bitlocker To Go writes data to items such as memory sticks or other media including drives in such a way as to meet the FIPS 140-2 requirements. Currently Bitlocker within XP SP3 and Vista have been certified as FIPS 140-2 compliant. Windows 7 is semi-compliant as it uses the same Bitlocker (and Modules) but has not yet been certified. Bitlocker to go has not been certified and i am waiting on information.

Other examples include SQL 2005 SP1 and SQL 2008 which has configurable settings that can ensure databases are stored encrypted to FIPS 140-2 if required. A third example is a Blackberry device. Policies are available to meet all of the FIPS 140-2 standards depending on the protection level deemed appropriate. There are many, many more examples that can be found either already meeting or are preparing to adopt this standard in their applications or devices. By the way, the standards also apply to the standard of documentation that is produced.

As far as Microsoft Desktop Operating Systems are concerned, MS gained accreditation right back from XP SP3. A short list of other certified Microsoft OS products can be found here by the way:

Further, FIPS 140-2 standards apply to specific modules or versions thereof. If certification has been awarded at version 1.0, it has to be repeated if any part of the cryptography components are changed regardless of whether the end product stays at version 1.0 or is upgraded to v1.1, for example.

These standards are no longer confined to the US either. In the UK, the Cabinet Office has followed suit and issued guidelines that FIPS 140-2 should be appropriately adhered to by Government agencies. One of the major reasons that drove this was the need to deal with lost or stolen laptop computers, lost memory sticks and other such devices that could hold data in an unencrypted manner.

In summary, the purchase of new or upgraded hardware or software may - by law or by mandate - need to be conforming to the FIPS 140-2 standards. The new standard of FIPS 140-3 is still in draft but if you are not sure whether you need to be aware, or implementing, these standards then read up or ask someone.

Keith AlabasterEnterprise Architect

Comments (2)

Kevin CrossChief Technology Officer
Most Valuable Expert 2011

Very nice article, Keith.
Voted yes above!
Author of the Year 2011
Top Expert 2006

Keith - excellent balance of information, with good details and links.
Wish I'd known you when I was running SIPRNET stuff.
Big ol' yes!

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.