[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Data encryption - What does FIPS 140-2 stand for and why do I care?

Published on
19,205 Points
4 Endorsements
Last Modified:
FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypting data. There are four levels under the 140-2 mandate and these - according to wikipedia - are:

FIPS 140-2 Level 1 is the entry point and roughly speaking means that components of a system must be "production-grade" and obvious kinds of insecurity must be absent.

FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

Full details of the standards themselves can be found here:

Great blurb - but why should you care? Good question....

The reason is that these standards are actually in place and slowly but surely solution providers are being asked to confirm that their application, system or service either natively or can, through configuration settings, adhere to them.

The definition I work with is this:
Within the US Federal government, the FIPS 140-2 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements.

The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g., Digital Cinema Systems Specification).

A number of examples closer to our area of concern exist of applications or systems that provide this functionality including Windows 7, inside the new 'Bitlocker To Go' feature. Bitlocker To Go writes data to items such as memory sticks or other media including drives in such a way as to meet the FIPS 140-2 requirements. Currently Bitlocker within XP SP3 and Vista have been certified as FIPS 140-2 compliant. Windows 7 is semi-compliant as it uses the same Bitlocker (and Modules) but has not yet been certified. Bitlocker to go has not been certified and i am waiting on information.

Other examples include SQL 2005 SP1 and SQL 2008 which has configurable settings that can ensure databases are stored encrypted to FIPS 140-2 if required. A third example is a Blackberry device. Policies are available to meet all of the FIPS 140-2 standards depending on the protection level deemed appropriate. There are many, many more examples that can be found either already meeting or are preparing to adopt this standard in their applications or devices. By the way, the standards also apply to the standard of documentation that is produced.

As far as Microsoft Desktop Operating Systems are concerned, MS gained accreditation right back from XP SP3. A short list of other certified Microsoft OS products can be found here by the way:

Further, FIPS 140-2 standards apply to specific modules or versions thereof. If certification has been awarded at version 1.0, it has to be repeated if any part of the cryptography components are changed regardless of whether the end product stays at version 1.0 or is upgraded to v1.1, for example.

These standards are no longer confined to the US either. In the UK, the Cabinet Office has followed suit and issued guidelines that FIPS 140-2 should be appropriately adhered to by Government agencies. One of the major reasons that drove this was the need to deal with lost or stolen laptop computers, lost memory sticks and other such devices that could hold data in an unencrypted manner.

In summary, the purchase of new or upgraded hardware or software may - by law or by mandate - need to be conforming to the FIPS 140-2 standards. The new standard of FIPS 140-3 is still in draft but if you are not sure whether you need to be aware, or implementing, these standards then read up or ask someone.

LVL 61

Expert Comment

by:Kevin Cross
Very nice article, Keith.
Voted yes above!
LVL 38

Expert Comment

Keith - excellent balance of information, with good details and links.
Wish I'd known you when I was running SIPRNET stuff.
Big ol' yes!

Featured Post

Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Make it easier to see the current record on your Microsoft Access forms! To highlight the current record with a yellow background color, use Conditional Formatting, a control to keep track of the primary key value, a control to change color, and a l…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month