FIPS 140-2

Hardware or software products containing cryptographic modules that are being sold to the US Government must comply with FIPS 140-2.

Overview

The National Institute of Standards and Technology (NIST) issued the FIPS (Federal Information Processing Standard) 140 series to uphold the standards indicating the US Federal Government requirements that IT products should meet.

UL will help you through the process, from design assessment through receiving your certificate number. Our FIPS 140-2 validation testing process includes:

  • Design assessment to determine whether or not your product meets the FIPS requirements
  • Algorithm testing to ensure that your cryptographic algorithms are implemented properly
  • Source code review
  • Physical security testing
  • Operational testing
  • Extensive reviews, including final approval by our Lab Director before submission to the Cryptographic Module Validation Program (CMVP)
  • Coordination with the CMVP to ensure that your report goes through the validation process as smoothly as possible

Benefits

  • UL’s laboratory in San Luis Obispo (formerly known as InfoGard) was the first federally accredited FIPS laboratory (NVLAP Lab Code: 100432-0) to perform FIPS 140-1 and 140-2 validation testing. UL has the experience, relationships and tools in place to help you attain the FIPS 140-2 validation your product requires.
  • With laboratory locations in USA and Australia, UL can serve clients across the global, boasting the largest FIPS validation test team to meet the need of our clients.
  • UL has tested more cryptographic modules of all types and security levels than any other laboratory and is the most experienced FIPS 140-2 laboratory and consultant in the industry. Our security engineers and management played an integral role in the development of the original FIPS 140 standard, so we thoroughly understand the intent of the requirements and how to achieve compliance.

Services Include

Cryptographic Module Validation Program (CMVP)

Modules are the actual software and/or hardware products used to protect sensitive information / assets during FIPS approved security functions.

A full validation requires UL to understand all cryptographic functionality in the module, after which time a suitable set of tests are developed and exercised to address the FIPS 140-2 requirements. The result of a full module validation is a test report which (if passing) would be submitted to NIST/CSE for FIPS 140-2 approval.

Client Materials for Module Validation

Appendix A in the FIPS 140-2 published standard provides the official documentation requirements for validation. 

Documentation

  • Non-proprietary security policy
  • Crypto officer and user guidance documents
  • General design documentation describing the architecture and internal subsections.
  • API guide or command set details (depending upon the module design)
  • Details on all keys and sensitive data, how they are loaded, used, generated, stored and transferred
  • Finite state machine which describes the logical states in the device.
  • Document which includes direct answers or references to other documents for all items listed in Appendix A of the FIPS 140-2 publication
  • Instructions on how to set up the samples modules in the lab and exercise all cryptographic functionality
  • Proof of conformance to EMI/EMC requirements

Requirements for FIPS 140-2 Validation Testing

Sample devices

Samples of the module are required for hardware approvals. The number of samples depends on the target level and complexity of the product.

Source code

Source code for the firmware and application components of the module. If necessary a lab validator can view the source code at the client site, however, this may add additional costs for travel and accommodation.

Schematics and PCB layouts

For hardware modules, design details which would typically include the schematics and PCB layouts are required. 

Cryptographic Algorithm Validation Program (CAVP)

Algorithms are simply the basic commands which perform the encryption/decryption/hashing of the plaintext or ciphertext data. 

Algorithm validations are tests developed by NIST to confirm the correct operation of the cryptography. Typically UL configures the NIST CAVS tool to suit the vendor’s use cases and generates a set of test vectors. These vectors are then supplied to the vendor for passing through the module, with the results returned to the lab. After verifying all answers, UL will submit the vectors and answers to CAVP for official validation and certificate generation.

Client Materials for Algorithm Validation

  • Specification of all algorithms, supported key sizes, modes of operation, operational environment (for software libraries) and implementation limitations. This information will be input into the CAVS tool to generate test vectors.
  • Details of the module and vendor company. This includes module name, firmware version numbers, processor type, company name, contact name, address, and URL. 
  • If the vendor will be processing the test vectors: outputs from the passing of test vectors through the module.
  • If the lab will be processing the test vectors: instructions on how to pass arbitrary data and keys to the module, and receive the output.

OTHER FIPS 140-2 RELATED SERVICES

Product Profile and Documentation Workshop

Meet with a UL Security Engineer who will provide a complete overview of the FIPS 140-2 requirements and the validation testing process. The Security Engineer will also provide a full product assessment, including identifying areas of non-conformance, and supporting document templates with an explanation of the FIPS documentation requirements.

Algorithm Validation Testing

For those clients that only desire or need their cryptographic algorithm tested and validated, without having the entire product undergo FIPS 140 validation testing, UL will walk you through the steps of getting your cryptographic algorithms Cryptographic Algorithm Validation Program (CAVP) validated as quickly as possible. 

Random Number Generator Entropy Analysis

FIPS 140 requires that clients provide an in-depth entropy analysis of random number sources, such as hardware / nondeterministic random number generators. A UL Security Engineer will assist in the entropy analysis through design review and sampling in order to help you meet your FIPS 140 obligations.

Physical Security Pre-Evaluation Services

At UL, Physical Security Engineers are specialized to understand the importance of hardened security measures that meet the need of the industry and the target FIPS 140 physical security requirements.  Gaps or compliance issues late in the develop process are costly both in redesign and time to market.  As a result, UL provides physical security pre-evaluation services to clients that need a trusted third-party to review preliminary designs for potential gaps, concerns, or compliance issues.  This can be done early while in the design concept phase and/or during prototyping.

Compliance Consulting

A UL Security Engineer will help you understand the FIPS 140-2 requirements and will identify potential compliance issues so you can bring your product into compliance and avoid the time and cost of re-testing. Compliance Consulting will be provided upon request during any phase of product development or the FIPS validation testing process.

ISO 19790 Introductory Workshop

Schedule a webinar or interactive workshop covering the implications of the proposed ISO 19790 requirements and learn about the potential impacts to your product or proposed cryptographic module design.

ISO 19790 Validation Testing

Using the process we established to conduct FIPS 140-2 validation testing, UL Security Engineers will evaluate your cryptographic module per ISO 19790 requirements.  For preexisting products with a FIPS 140-2 certificate, our staff would streamline the ISO 19790 evaluation by testing gaps based on differences in the requirement.

LEARN MORE ABOUT FIPS 140-2 COMPLIANCE*

*UL offers links to these webpages and documents because we believe they may have value and relevance for consumers, manufacturers and others who share our interest in public safety. UL has no role in the development or maintenance of these webpages and documents. UL is not responsible for the content, accuracy, opinions expressed or other links provided by these resources. 

Related news

Get in touch