Site icon

Encryption and NIST FIPS 140 (FIPS 140-2)

FIPS featured

In April 2022, NIST stopped accepting applications for validation certificates for the FIPS 140-2 standard of security in lieu of the updated FIPS 140-3. While many companies are still waiting for their FIPS 140-2 certification (if they got their application in before the April deadline), many are now considering adopting the new 140-3 standard. 

But, to understand the new standard, it’s important to understand the old. FIPS 140-2 has been the NIST standard for cryptography for almost two decades, and its impact will still be felt for years to come. 

 

What Is FIPS 140-2?

The Federal Information Processing Standard Publication (FIPS) 140-2 is a publication by the National Institute of Standards and Technology (NIST) that defines the requirements for cryptographic modules used in federal security applications. 

In this context, it’s important to understand what a “cryptographic module” is. When we think of cryptography, we often think of encryption and obfuscation–which is true, and a necessary part of the process. However, a module is better understood as the combination of hardware, software, and firmware that implements cryptographic security functions:

In most consumer and many enterprise systems, having multiple layers of encryption is not critical. However, regarding government and defense systems, data must be protected from some of the most advanced forms of cyber threats.

Approved forms of FIPS 140 encryption must include authorized algorithms outlined in the FIPS 140 Approved Security Functions, including sufficiently complex AES and Triple-DES encryption.  

 

What Are the FIPS 140-2 Security Levels?

FIPS 140-2 defines different cryptographic modules by “levels” at which they may apply to increasingly-complex security needs. Each level provides different kinds of protection, addressing increasingly complex security risks. 

The four security levels are: 

It’s interesting to note that many of these security levels focus on physical security. As cryptographic security becomes more complex, it becomes harder to break, and more advanced encryption algorithms are almost impossible to break under most operating conditions. That being said, many hackers look for ways to circumvent this security not by brute-forcing encryption keys (which is nearly impossible) but by hacking into outside systems or accessing hardware to access decryption keys. 

How hackers can accomplish this are pretty extensive. For example, a hacker may attempt to open a hardware enclosure to access local storage. Or, they may attempt to modulate voltage in a processor or motherboard to allow unauthorized access to adjacent memory registers. 

More advanced FIPS security levels are structured to mitigate these threats. 

 

What Are Some of the 140-2 Implementation Requirements?

These levels have further requirements that break down across a few critical categories to ensure security from multiple different angles. 

Some of these requirements include:

 

Integrate FIPS-Compliance Encryption into Your Security Operation

FIPS encryption standards are a standard part of federal and defense security schemes. If you’re working in any areas where you, through requirements or optional adoption, work with NIST standards, you will almost certainly run into FIPS encryption standards. 

As a complete risk and security management firm, Continuum GRC is experienced in NIST compliance, risk management, and comprehensive security assessments. We can help ensure that you use the right encryption and cryptographic modules, physical security measures, and technical safeguards to stay in line with your industry-specific regulatory needs. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version