up:: [[Security Policies and Governance]] # FIPS 140-2 FIPS 140-2, which stands for Federal Information Processing Standard Publication 140-2, is a U.S. government computer security standard used to accredit cryptographic modules. The primary purpose of this standard is to ensure that cryptographic modules used in software and hardware products meet well-defined security standards for handling sensitive but unclassified information. ## Key Features - **Security Requirements:** Specifies the security requirements that must be satisfied by cryptographic modules, including areas such as physical security, cryptographic key management, and roles, services, and authentication. - **Security Levels:** The standard defines four levels of security, from Level 1 (lowest) to Level 4 (highest), each providing a progressively greater degree of security. - **Testing:** Modules must undergo rigorous testing by an accredited Cryptographic Module Testing (CMT) laboratory. ## Problem Addressed FIPS 140-2 addresses the need for a consistent and secure method to store, transfer, and share information using cryptographic techniques. It ensures that cryptographic modules meet specific standards of security to prevent unauthorized access to sensitive information. ## Implications FIPS 140-2 certification is crucial for manufacturers who supply cryptographic products to the U.S. government. Compliance with this standard is often required by government contracts and is also looked upon favorably in the private sector, enhancing product credibility and marketability. ## Impact FIPS 140-2 helps in ensuring that cryptographic products used in government communications and data storage are robust enough to protect sensitive information. It fosters trust in cryptographic products and their capabilities to secure data effectively. ## Defense Mechanisms - **Physical Security Measures:** From simple tamper-evidence to more stringent physical security to prevent tampering and unauthorized access. - **Role-Based Authentication:** Ensures that only authorized users can access certain cryptographic functions. - **Key Management Practices:** Specifies stringent key management techniques to prevent unauthorized key access and usage. ## Exploitable Mechanisms/Weaknesses Each security level in FIPS 140-2 is designed to withstand a particular set of potential attacks. Lower levels may not protect against higher resource attacks such as sophisticated physical intrusions or side-channel attacks aimed at cryptographic implementations. ## Common Tools/Software - **OpenSSL:** An open-source software library that supports FIPS 140-2 cryptographic module operation via a validated module. - **Certified Hardware Security Modules (HSMs):** Many HSMs are FIPS 140-2 certified to provide physical security for cryptographic keys and operations. ## Related Cybersecurity Policies - **[[NIST Special Publication 800-53|NIST SP 800-53]],** "Security and Privacy Controls for Federal Information Systems and Organizations": Recommends the use of FIPS 140-2 validated cryptographic modules for federal agencies. - **Federal Risk and Authorization Management Program (FedRAMP)**: Requires FIPS 140-2 validation for cloud service providers working with U.S. government data. ## Best Practices - Use FIPS 140-2 validated cryptographic modules whenever handling sensitive but unclassified information. - Regularly update cryptographic modules to ensure compliance with the latest version of FIPS standards, as updates may include important security enhancements. ## Current Status FIPS 140-2 was officially succeeded by FIPS 140-3 in 2019, which began its transition period with new requirements. However, FIPS 140-2 remains widely recognized and used until fully transitioned to the new standard. ## Revision History - **2024-04-14:** Entry created.