What is FIPS 140-2
FIPS 140-2 specifies requirements related to the secure design and implementation of cryptographic modules that provide protection for sensitive or valuable data.
Security requirements cover 11 areas related to the design and implementation of a cryptographic module. Four security level ratings are defined for each area.
National Institute of Standards and Technology (NIST-USA) and Communications Security Establishment Canada (CSEC-Canada) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to FIPS 140-2 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards.
Vendors of cryptographic modules use independent, accredited Cryptographic and Security Testing (CST) laboratories to test their modules. The CST laboratories use the Derived Test Requirements (DTR), Implementation Guidance (IG) and applicable CMVP programmatic guidance to test cryptographic modules against the applicable standards.
Generally, companies that have not adopted a security certification culture feel overwhelmed by the prospect of needing to generate a huge amount of documentation to pass the validation, as well as to make unexpected or drastic changes in their products.
Don't wait and call us to get more information about FIPS 140-2 Consulting.
FIPS 140-2 Process
The FIPS 140-2 process involves mainly the vendor and the CST lab. NIST and CSEC are involved once the reports are submitted by the CST lab.
Before that, it is possible to be listed in the “Cryptographic Module Validation Program FIPS 140-2 Implementation Under Test List”. This list shows the IUT that are being tested by a CST lab.
To be on the list, the vendor must submit to the lab the whole package of evidences including the non-proprietary security policy, the IUT, the finite state model, etc.
Once the CST lab has finished the testing process, the IUT will enter in the “Cryptographic Module Validation Program FIPS 140-2 Modules In Process List”. This list will detail the status of the validation process.
Finally, the IUT will be listed in the “FIPS 140-2 Cryptographic Module Validation Lists” as soon as the validation finishes.
We can provide consultancy to support you writing the security policy, carrying out a gap analysis or adapting all the required evidences to FIPS 140-2 requirements.
Ask us about our FIPS 140-2 Consulting service and get your product on the list now.
What we offer?
We check the current status of your product and documentation informing you about the changes you need to carry out before going through the development/certification process.
This service is quite interesting in FIPS 140-2 given that Cryptographic Modules must meet some specific requirements and having a clear understanding of them, avoid to find issues at the last stages of the development.
If you need your Cryptographic module to become a validated FIPS 140-2 CM; we can offer you the maximum support during the process to get it.
Writing a Security Policy or a Finite State Machine is not a trivial task if you are not used to.
We can do it for you allowing you to focus on your product and saving your time and money.
Does your team need to gain more knowledge in FIPS 140-2? We can provide you a customized training.
After this training, your team will be able to write FIPS 140-2 documentation on their own.