FIPS has been developed by NIST to address the inadequacy of industry standards or solutions for the security and interoperability requirements of the Federal government.
The National Institute of Standards and Technology (NIST) issued the FIPS (Federal Information Processing Standard) 140 series to uphold the standards indicating the US Federal Government requirements that IT products should meet.
Who needs FIPS 140-2 compliance?
When you wish to launch hardware or software products in the US market containing cryptographic modules, you need to comply with FIPS 140-2.
There are two programs associated with the FIPS 140 effort: the Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVVP). Algorithms are simply the basic commands which perform the encryption/decryption/hashing of the plaintext or ciphertext data. Modules are the actual software/hardware incorporating these algorithms. Both programs are jointly operated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). In general, any cryptographic module that uses, stores, and /or transmits sensitive data, and is sold to the federal market in US & Canada, must meet the FIPS 140-2 requirements. Also, all modules are required to utilize at least one FIPS-approved encryption algorithm.
What can UL do?
UL is uniquely positioned as one of only twenty accredited cryptographic module testing laboratories worldwide. We perform validation testing of cryptographic modules. Within most areas, a cryptographic module receives a security level rating, depending on which requirements are met. Our highly skilled engineers will perform the required tests to ensure your hardware and software products are ready for the US market.
- NIST CAVP main website
This link lists all of the cryptographic algorithm types that can be validated under the CAVP, along with the associated standards or specification documents for each, and the tests that are conducted. The duration for algorithm investigations is typically on the order of 2 weeks.
- NIST CMVP main website
This link provides an overview of the CMVP. On the left, there are various links that may be of interest, including the "Standards" link (see below), the "Module Validation Lists" (which indicates all validated modules since the program's inception), and the "Modules In Process" link, which shows the products that are currently under evaluation and/or review by NIST/CSEC .
- The duration for module investigations is typically on the order of 2-3 months (depending upon the complexity of the product) plus the time required for NIST/CSEC to review the test data (variable 3-10 months)
- FIPS 140-2 Standard (pdf)
The primary document is FIPS PUB 140-2 – “Security Requirements for Cryptographic Modules”. Within this document, refer to Appendix A, which gives a summary of the documentation requirements, and Appendix C, which details the information to be included in the Security Policy which is the primary document required for FIPS 140-2 validation.
FIPS 140-22 Annexes*:
- Annex A -Approved Security Functions (pdf)
- Annex B -Approved Protection Profiles (pdf)
- Annex C -Approved Random Number Generators (pdf)
- Annex D -Approved Key Establishment Techniques (pdf)
- Derived Test Requirements (DTR) (pdf)
This document goes into much more detail on what is involved from both a vendor and testing lab (UL) standpoint for each requirement provided in the FIPS 140-2 standard. Note that the clauses that start with ““VE” are vendor requirements and “TE” is for testing lab requirements.
- FIPS 140 Module Validation List
- FIPS 140 Modules In Process List (pdf)
- Cryptographic Module Validation Program
- Cryptographic Algorithm Validation Program
- FIPS 140-2 Publication (pdf)
- FIPS 140-2 Implementation Guidance (pdf)
FIPS 201 (NPIVP)
- GSA FIPS 201 Evaluation Program
- NIST Personal Identity Verification (Technical)
- NIST Personal Identity Verification Program (Administrative)
- FIPS 140-2 CMVP
- HSPD-12 Text
- GSA Smart Card Standards and Interoperability
- MINEX (Minutiae Interoperability Exchange Test) and MINEX II (Match-on-Card) Program
- FBI IAFIS Certified Products List
- MITRE Image Quality Software and Specifications
- Smart Card Alliance
- SP 800-73
*UL offers links to these websites and documents because we believe they may have value and relevance for consumers, manufacturers and others who share our interest in public safety. UL has no role in the development or maintenance of these websites and documents. UL is not responsible for the content, accuracy, opinions expressed or other links provided by these resources.