Skip Navigation

Federal Information Processing Standards (FIPS) 140-2 is a U.S. standard for the security of cryptographic modules. It includes a broad set of security requirements covering everything from the physical security, cryptographic key management, roles and services, and cryptographic algorithm implementation that must be met before the cryptographic module can be approved as “validated”.

A cryptographic module includes all the hardware, software, and firmware components within a specified boundary that perform cryptographic operations. Examples of cryptographic modules are computer chips, cryptographic cards that go in a server, security appliances, and software libraries. A cryptographic module may, or may not, be the same as a sellable product. For example, a computer server doing cryptographic operations might have an internal crypto card that is the actual FIPS 140-2 validated crypto module.

  • Thales TCT - SafeNet AT Certificates

    Thales TCT/SafeNet AT FIPS 140-2 Certifications

    Certificate Number Module Name Security Level
    Module in Process Luna T7 Cryptographic Module FIPS 140-2 Level 3. Applicable for T-2000 and T-5000 models of the Luna Network HSM and Luna PCIe HSM.
    2500 Luna G5 Cryptographic Module FIPS 140-2 Level 3
    2489 Luna PCI-E Cryptographic Module & Luna PCI-E Cryptographic Module for Luna SA FIPS 140-2 Level 3 for PCI-E HSM, and embedded PCI-E in Luna SA HSM and KeySecure G460
    2488 Luna PCI-E Cryptographic Module & Luna PCI-E Cryptographic Module for Luna SA FIPS 140-2 Level 2 for PCI-E HSM, and embedded PCI-E in Luna SA HSM
    2487 Luna G5 Cryptographic Module FIPS 140-2 Level 2
    2486 Luna Backup HSM Cryptographic Module FIPS 140-2 Level 3
    2049 SafeNet Software Cryptographic Library FIPS 140-2 Level 1 for SSCL component in the KeySecure and Connector product lines
  • Thales eSecurity - Thales CPL Certificates

    Thales eSecurity/Thales CPL FIPS 140-2 Certifications

    Certificate Number Module Name Security Level
    3443 Vormetric Data Security Manager Virtual Appliance Module FIPS 140-2 Level 1
    3442 Vormetric Data Security Manager Module (V6000) FIPS 140-2 Level 2
    3730 Vormetric Data Security Manager (V6100) FIPS 140-2 Level 3 with an embedded nCipher nSheild hardware security module 
  • Policy Mandates

    NIST Special Publication 800-53 Rev. 4

    NIST Special Publication 800-53 Rev. 4 outlines Security Controls and Assessment Procedures for Federal Information Systems and Organizations.  Control SC-13 Cryptographic Protection in SP800-53 calls out for cryptographic protection and states that generally applicable cryptographic standards include FIPS-validated cryptography (i.e. use of FIPS 140-2 validated crypto modules) or NSA-approved cryptography. There are a number of other controls such SC-28 Protection of Information at Rest, SC-8 Transmission Confidentiality, and IA-7 Cryptographic Module Authentication that are often tailored to require the use of cryptography and thus trace back to SC-13 and the requirement for a FIPS 140-2 validated module.

    Department of Defense Information Network Approved Product List (DoDIN APL)

    The DoDIN APL process guide states that all products providing cryptographic-based security per applicable Federal Law and STIG requirements must be certified to FIPS 140-2 standards per the Cryptographic Module Validation Program (CMVP). Products that are required to have a FIPS 140-2 certification must already be FIPS 140-2 certified or proven to be in process for FIPS 140-2 certification prior to being accepted into the DoDIN APL process.

    Federal Information Security Management Act (FISMA)

    FISMA includes a requirement to utilize security controls and state that organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST SP800-53.  It also states that FIPS 140-2 encryption is considered an appropriate control to protect data in all states (i.e. at rest, in motion) and for all types of applications (e.g. data storage, transmission between systems, remote access, wireless access, etc.).

    Federal Risk and Authorization Management Program (FedRAMP)

    FedRAMP Security Controls outlines specific security controls that Cloud Service Providers (CSPs) must adhere to when providing cloud-based services to the government.  These controls are for the use of encryption for access control, encryption of data at rest, data separation, storage media sanitization, and the use of FIPS 140-2 cryptography.

    Health Insurance Portability and Accountability Act (HIPAA)

    The Health Insurance Portability and Accountability Act (HIPAA) recommends products certified for the FIPS 140-2 encryption standard to protect healthcare data.

    Commercial Solutions for Classified (CSfC)

    CSfC specifies that the vendor’s product must be, among other things, FIPS certified, and that CSfC components must have completed CAVP testing.

 

Connect with us

Learn more about our products, solutions and services Contact Thales TCT

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookie policy and our privacy policy.

Accept