Federal Information Processing Standards (FIPS) 140-2 is a U.S. standard for the security of cryptographic modules. It includes a broad set of security requirements covering everything from the physical security, cryptographic key management, roles and services, and cryptographic algorithm implementation that must be met before the cryptographic module can be approved as “validated”.
A cryptographic module includes all the hardware, software, and firmware components within a specified boundary that perform cryptographic operations. Examples of cryptographic modules are computer chips, cryptographic cards that go in a server, security appliances, and software libraries. A cryptographic module may, or may not, be the same as a sellable product. For example, a computer server doing cryptographic operations might have an internal crypto card that is the actual FIPS 140-2 validated crypto module.
Thales TCT/SafeNet AT FIPS 140-2 Certifications
|Certificate Number||Module Name||Security Level|
|3898||Luna T7 Cryptographic Module||
FIPS 140-2 Level 3. Applicable for T-2000 and T-5000 models of the Luna Network HSM and Luna PCIe HSM.
Applicable to TCT version of CipherTrust k570.
|2500||Luna G5 Cryptographic Module||FIPS 140-2 Level 3|
|2489||Luna PCI-E Cryptographic Module & Luna PCI-E Cryptographic Module for Luna SA||FIPS 140-2 Level 3 for PCI-E HSM, and embedded PCI-E in Luna SA HSM and KeySecure G460|
|2488||Luna PCI-E Cryptographic Module & Luna PCI-E Cryptographic Module for Luna SA||FIPS 140-2 Level 2 for PCI-E HSM, and embedded PCI-E in Luna SA HSM|
|2487||Luna G5 Cryptographic Module||FIPS 140-2 Level 2|
|2486||Luna Backup HSM Cryptographic Module||FIPS 140-2 Level 3|
|2049||SafeNet Software Cryptographic Library||FIPS 140-2 Level 1 for SSCL component in the KeySecure and Connector product lines|
Thales eSecurity/Thales CPL FIPS 140-2 Certifications
|Certificate Number||Module Name||Security Level|
|2825||eToken 5110||FIPS 140-2 Level 3. Applicable to KeySecure G160.|
|2891||Vormetric Application Encryption Module||FIPS 140-2 Level 1|
|3443||Vormetric Data Security Manager Virtual Appliance Module||FIPS 140-2 Level 1|
|3442||Vormetric Data Security Manager Module (V6000)||FIPS 140-2 Level 2|
|3730||HSM card within Vormetric Data Security Manager (V6100)||Embedded FIPS 140-2 Level 3 HSM provides additional layer of security to Vormetric Data Security Manager.|
|3205||Thales Luna K7 Cryptographic Module||FIPS 140-2 Level 3. Applicable for Luna HSM 7 A-Series and S-Series models of the Luna Network HSM and Luna PCIe HSM. Applicable to CPL version of CipherTrust k570.|
|3519||SafeNet Cryptovisor K7 Cryptographic Module||FIPS 140-2 Level 3. Applicable for Thales Data Protection on Demand (DPOD). DPOD is an integration option with CipherTrust Manager.|
|Module in Process||Vormetric Transparent Encryption Cryptographic Module||FIPS 140-2 Level 1. Applicable for Vormetric Transparent Encryption (VTE) and CipherTrust Transparent Encryption (CTE) offerings.|
|Module in Process||Thales CipherTrust Application Data Protection CryptoAPI (CADP CryptoAPI) Module||FIPS 140-2 Level 1. Applicable for CipherTrust Data Security Platform.|
|Module in Process||Thales CipherTrust Manager Core Security Module||FIPS 140-2 Level 1. Applicable for CipherTrust Manager.|
|3906||CN6000 Series Encryptors||FIPS 140-2 Level 3|
|3905||CN Series Encryptors||FIPS 140-2 Level 3|
NIST Special Publication 800-53 Rev. 4 outlines Security Controls and Assessment Procedures for Federal Information Systems and Organizations. Control SC-13 Cryptographic Protection in SP800-53 calls out for cryptographic protection and states that generally applicable cryptographic standards include FIPS-validated cryptography (i.e. use of FIPS 140-2 validated crypto modules) or NSA-approved cryptography. There are a number of other controls such SC-28 Protection of Information at Rest, SC-8 Transmission Confidentiality, and IA-7 Cryptographic Module Authentication that are often tailored to require the use of cryptography and thus trace back to SC-13 and the requirement for a FIPS 140-2 validated module.
The DoDIN APL process guide states that all products providing cryptographic-based security per applicable Federal Law and STIG requirements must be certified to FIPS 140-2 standards per the Cryptographic Module Validation Program (CMVP). Products that are required to have a FIPS 140-2 certification must already be FIPS 140-2 certified or proven to be in process for FIPS 140-2 certification prior to being accepted into the DoDIN APL process.
FISMA includes a requirement to utilize security controls and state that organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST SP800-53. It also states that FIPS 140-2 encryption is considered an appropriate control to protect data in all states (i.e. at rest, in motion) and for all types of applications (e.g. data storage, transmission between systems, remote access, wireless access, etc.).
FedRAMP Security Controls outlines specific security controls that Cloud Service Providers (CSPs) must adhere to when providing cloud-based services to the government. These controls are for the use of encryption for access control, encryption of data at rest, data separation, storage media sanitization, and the use of FIPS 140-2 cryptography.
The Health Insurance Portability and Accountability Act (HIPAA) recommends products certified for the FIPS 140-2 encryption standard to protect healthcare data.
CSfC specifies that the vendor’s product must be, among other things, FIPS certified, and that CSfC components must have completed CAVP testing.