FIPS 140-2 Validated Encryption CMMC

What is FIPS 140-2?

Omer Aslim selfie
By: Omer Kaan Aslim
October 20, 2020
What is FIPS 140-2? Why was it created? Which encryption algorithms are FIPS 140-2 compliant?

What is FIPS 140-2?

Created by the National Institute of Standards and Technology, the Federal Information Processing Standards Publication (FIPS) 140-2, “Security Requirements for Cryptographic Modules”, specifies the requirements an cryptographic algorithm must meet to be used to protect sensitive information on computer systems.

Why Was FIPS 140-2 Created?

The U.S. government needed to ensure that the encryption algorithms it was using were capable of protecting sensitive information. FIPS 140-2 listed requirements that cryptographers needed to meet to have their algorithms validated by the Cryptographic Module Validation Program (CVMP). Under FIPS 140-2, encryption algorithms can be validated at four different security levels.

What are the FIPS 140-2 Levels?

FIPS 140-2 has four levels of security: Level 1, Level 2, Level 3, and Level 4. The higher the level the more secure the more security is provided. FIPS 140-2 specifies the differences between these levels in depth however the below image provides a good overview.
FIPS 140-2 Levels Chart

What are the FIPS 140-2 Requirements?

FIPS 140-2 security requirements encompass eleven areas. These areas include the following:
  • 1. Cryptographic Module Specification
  • 2. Cryptographic Module Ports and Interfaces
  • 3. Roles, Services, and Authentication
  • 4. Finite State Model
  • 5. Physical Security
  • 6. Operational Environment
  • 7. Cryptographic Key Management
  • 8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
  • 10. Design Assurance
  • 11. Mitigation of Other Attacks

Common FIPS 140-2 Compliant Algorithms

  • Advanced Encryption Standard (AES)
  • Triple-DES Encryption Algorithm (TDEA)
  • Digital Signature Standard (DSS)
  • Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
  • HMAC
  • SHA-3

What is the Cryptographic Module Validation Program (CMVP)?

CMVP
The CVMP is available to any vendors who seek to have their products certified for use by the U.S. Government and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate "sensitive, but not classified" information. Vendors seeking certification for their products have the tests completed by accredited third-party laboratories.
Modules that have passed these tests can be found in the CVMP database.

FIPS 140-2 to be Replaced by FIPS 140-3

Testing of cryptographic modules against FIPS 140-2 will end on September 22, 2021 and will be replaced by FIPS 140-3.

FIPS 140-2 Validated Cryptography CMMC

With CMMC anything that needs to be encrypted including both data at rest and in transit should be encrypted using FIPS validated encryption alogorithms. If you are seeking a CMMC level 3 or higher certification then this is certainly the case (see CMMC practice SC.3.177)

Sources

 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance