FIPS 140-2

The Federal Information Processing Standards (FIPS) Publication 140-2, issued by the National Institute of Standards and Technology (NIST), specifies the cryptographic security requirements to be used when protecting sensitive but unclassified information.

The former FIPS 140-1 was developed to meet requirements for four different security levels. Each security level provided a different focus for data sensitivity, with security level 1 being an introductory level of cryptographic security, and security level 4 providing the highest level of security defined in the standard. The applications for these security levels range from personal computers protected by simple authentication, to external storage devices and entire environments protected by encryption, signatures, and complex key management. Corporations often use NIST-supplied lists of vendors and their hardware to ensure that the devices used are compliant with national standards.

According to FIPS 140-2:

The FIPS 140-2 standard specifies the security requirements that will be satisfied by a cryptographic module used within a security system protecting sensitive but unclassified information (sensitive information). The standard provides four increasing, qualitative levels of security: Levels 1, 2, 3, and 4.
These levels cover a range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification, cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. This standard supersedes FIPS 140-1, Security Requirements for Cryptographic Modules.
The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or designated information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.
In the CMVP, vendors of cryptographic modules use independent, accredited testing laboratories to have modules tested. National Voluntary Laboratory Accreditation Program (NVLAP)-accredited laboratories perform cryptographic module compliance/conformance testing.


National Institute of Standards and Technology. (2001). The Federal Information Processing Standards (FIPS) Publication 140-2: Security requirements for cryptographic modules. In the public domain.