Q

How to verify 140-2 (FIPS 140-2) compliance

In this SearchSecurity.com Q&A, identity management and access control expert, Joel Dubin, discuses several ways to verify that Federal Information Processing Standard 140-2 is being enforced.

How do I assure management that Federal Information Processing Standard 140-2 (FIPS 140-2) is actually implemented? Can you provide an example test or criteria?

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a security standard for cryptographic modules. FIPS 140-2 accreditation is required for any cryptography product sold by a private sector company to the government.

The program defines four levels of security, but all are for what the government defines as "sensitive but unclassified" (SBU) data.

The procedure works as follows, The National Voluntary Laboratory Accreditation Program (NVLAP) of the National Institute of Standards and Technology (NIST) accredits laboratories for testing cryptographic modules to ensure they meet FIPS 140-2. To add to that alphabet soup of acronyms, the certifying labs are called Cryptographic Testing Module (CMT) laboratories. Once certified, the vendor is issued a certificate verifying compliance.

The time-consuming certification process can take several months. The required testing can drain engineering resources from a company. There's also a lot of documentation required to meet the standard.

There are two ways to assure your management that FIPS 140-2 is being implemented. One is to hire a consultant specializing in the standard, such as Rycombe Consulting or Corsec Security. These companies provide the necessary documentation for the certification procedure, which you can use to prove implementation.

The other way is to thoroughly document and regularly report on the process yourself within your own organization. The FIPS 140-2 process is straightforward, and the requirements are clearly spelled out in documentation available online from NIST. Read more about the FIPS 140-2 process on the NIST Web site.

More on this topic

This was first published in April 2007

Dig deeper on Enterprise Data Governance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close