DOC RABE Media - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What does 'FIPS 140-2 Level 2 certified' mean for security?

What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in their claims.

Is there such thing as an Android tablet that meets FIPS 140-2 Level 2 Requirements? I see Samsung tablets meet...

Level 1, and it looks like Blackberry 10 is actually Level 2. Does this require certain configurations within OS level? Is Android OS security up to par for FIPS 140-2 Level 2?

When evaluating devices that will be storing or processing sensitive data, it is essential to fully understand the security assertions a vendor makes about its products. Marketing claims like "meets FIPS 140 standards" or "FIPS encryption" should be disregarded -- instead look for "FIPS 140-2 Level N Certified." This means the product has undergone the rigorous certification process at an accredited testing lab. Even this certification should be checked out on NIST's cryptographic module validation program, as it's vital to understand the environment in which the module was tested.

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard, commonly referred to as FIPS 140-2, used to accredit the design and implementation of cryptographic modules. A cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. FIPS has four increasing, qualitative levels of security requirements numbered one to four that address various security scenarios. The requirements cover areas such as specification, cryptographic module ports and interfaces, roles, services and authentication, physical security, operational environment, cryptographic key management, design assurance and mitigation of various attacks.

Even when a particular module has been FIPS-140 accredited, it doesn't mean that the same level of security can be achieved if the module is deployed in a different device, environment or with different configurations. The scope of the certification is also important, so take the time to find out what has been tested and in what scenarios. OpenSSL, for example, has FIPS 140-2 certification, but FIPS validation only checks the crypto routines. This means that the heartbeat protocol, which is not part of the crypto module, is outside the scope of FIPS certification -- something that not many people were aware of until the Heartbleed vulnerability was discovered.

There are no Android, Apple or Blackberry devices listed that are FIPS 140-2 Level 2 certified, but the Blackberry 10 Secure Work Space module and Samsung KNOX Workspace, which separate personal data from sensitive corporate content, both are. The value of having FIPS 140-2 Level 2 certification in these instances is that it provides proof of a consistent implementation of cryptography across the entire container solution: data stored in the container, data shared between containers, data in use by container apps and data in transit between the app and a back-end corporate server or cloud service.

While FIPS 140-2 certified products can provide stronger security for sensitive enterprise data, those using them need to be fully trained in how to use the different security features, otherwise user error or negligence can still lead to data being exposed. For example, IronKey Workspace W700 and W700SC USB drives are FIPS 140-2 Level 3 certified and can store a complete Windows 10 desktop, but the user still needs to be security aware and vigilant when using it, particularly as certification only covers the threat landscape at a single point in time.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about new Android M security improvements

Compare security methods and features on different mobile OSes

Read more tips on how to improve Android mobile security

This was last published in April 2016

Dig Deeper on BYOD and mobile device security best practices