Assessment Laboratory (CEAL)
Overview of the FIPS 140-2 Standard
FIPS PUB 140-2 is the Federal Information Processing Standards Publication (FIPS PUB) number 140-2, "Security Requirements for Cryptographic Modules." It is published by NIST and copies are available on-line at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
The standard specifies the security requirements that are to be satisfied by a cryptographic module utilized within a security system protecting unclassified information within computer and telecommunication systems (including voice systems). The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential application and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.
Cryptographic modules are validated against Security requirements which cover eleven areas covering design and implementation issues. The module receives security level rating for each section based on the requirements met and the minimum security level rating would be the overall security level met by the module.
The security requirements cover eleven areas related to the secure design and implementation of cryptographic modules. These areas include the following:
- Cryptographic Module Specification
- Cryptographic Module Ports and Interfaces
- Roles, Services, and Authentication
- Finite State Model
- Physical Security
- Operational Environment
- Cryptographic Key Management
- Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
- Self Tests
- Design Assurance
- Mitigation of Other Attacks
The Cryptographic Equipment Assessment Laboratory (CEAL) is accredited to test hardware and software products for compliance with FIPS 140-2.
For answers to the most frequently asked questions on FIPS 140-2 Overview, please peruse our FIPS 140-2 FAQ.