Federal Information Processing Standard (FIPS)
What is FIPS Certification[1]
FIPS stands for Federal Information Processing Standard, FIPS 140-2 is the benchmark for validating the effectiveness of cryptographic hardware. Although FIPS 140-2 is a U.S./Canadian Federal standard, FIPS 140-2 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice including Server domain.
Products certified to FIPS 140-2 can remain valid for 5 years after validation. See NIST transition page for more details.
FIPS 140-3 is the latest version of the U.S. government computer security standard used to validate cryptographic modules. As of April 1, 2022
FIPS 140-2 Levels
| Level | Description |
|---|---|
| Level 1 | Requires production-grade equipment and externally tested algorithms |
| Level 2 | Adds requirements for physical tamper-evidence and role-based authentication. Software implementations must run on an Operating System approved to Common Criteria at EAL2 |
| Level 3 | Adds requirements for physical tamper-resistance and identity-based authentication. There must also be physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys can only enter or leave in encrypted form. |
| Level 4 | This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack |
For many organizations, requiring FIPS certification at FIPS 140-2 level 3 is a good compromise between effective security, operational convenience, and choice in the marketplace.