FIPS

Federal information processing standards (FIPS) established a data security and computer system standard that organizations must adhere to per the Federal Information Security Management Act (FISMA) of 2002.

• FIPS 140 covers cryptographic module and testing requirements in both hardware and software.
• FIPS 180 specifies how organizations can be FIPS compliant when using secure hash algorithms for computing a condensed message.
• FIPS 186 is a group of algorithms for generating a digital signature.
• FIPS 197 is a standard that created the Advanced Encryption Standard (AES(, which is a publicly accessible cipher approved by the National Security Agency (NSA) for top secret information.
• FIPS 198 is about a mechanism for message authentication that utilizes cryptographic hash functions.
• FIPS 199 standardizes how federal agencies categorize and secure information and information systems the agency collects or maintains.
• FIPS 200 is a standard that helps federal agencies with risk management through levels of information security based on risk levels.
• FIPS 201 specifies the standard for common identification for federal employees and contractors.
• FIPS 202 gives the specifications for the Secure Hash Algorithm-3 (SHA-3) family of four cryptographic hash functions and two extendable-output functions.

FIPS 140:

Level 1 is the lowest level of security. It covers the basic security features in a cryptographic module. Level 1 systems can use Integrated Circuit cards; however, software functions in a typical personal computer are acceptable.

Level 2 improves the physical security aspects of cryptographic modules. Examples of required physical security measures are tamper-evident coatings, seals, or pick-resistant locks. Role-based authentication is included in this security level and ensures the operator accessing the module is authorized and is limited to their assigned actions. Level 2 also allows for software cryptography in a multi-user system environment. That is where multiple users access a single system with one operating system (OS).

Level 3 requires enhanced physical security, potentially with products available from the private sector. A multi-chip embedded module has to be contained in a strong enclosure that zeroizes critical security parameters when it is removed. Zeroizing is the practice of turning machine settings to a zero value, which alters or deletes information. This security level also uses identity-based authentication. Identities, roles, and assigned actions are authenticated before access is granted. A module complying with Level 3 security has data ports for critical security parameters physically separated from other data ports. For multi-user systems, the OS must be more trusted than in Level 2.

Level 4 is the most secure part of the 140 standard. It requires tamper detection circuits to be able to detect any device penetration. This level is best for when cryptographic modules are in a physically unprotected environment that intruders can access. Module protection in Level 4 extends to keeping voltage and temperature conditions within normal operating ranges. Modules must be able to detect fluctuations and zeroize themselves. Modules can also be designed to operate outside its normal operating range and remain secure. For multi-user systems, Level 4 requires an OS that earned an even greater degree of trust.