FIPS 140
What is FIPS 140?
Federal Information Processing Standard (FIPS) 140 is the de-facto standard in the United States
and Canada governing security requirements for cryptographic modules that protect sensitive, but
unclassified information. The standard provides a framework for secure design and implementation
of products that incorporate encryption methods for data security, integrity, and authentication.
Which products apply?
Cryptographic modules include a wide variety of hardware and software products,
covering a broad range of industries. As a general rule, any product that transmits
or stores sensitive data can fall under the FIPS 140 umbrella. This includes network
hardware such as routers and switches; electronic storage devices such as flash drives
and hard drives; wireless devices such as lighting and building controls; smartphones;
financial banking tokens; smartcards; and medical devices. Monitoring for Hexavalent
Chromium
Why should I evaluate my product?
The United States government, via the Federal Security Management Act (FISMA) of
2002, requires that all products that store or transmit sensitive data, which are intended
to be installed in government space, comply with FIPS 140. Additionally, multiple
industry standards rely on FIPS 140 as a basis for data security including the healthcare,
energy, information technology, financial, and identity verification industries. Multiple
UL standards, including UL 294 (Access Control Systems) and UL 1610 (Central Station
Alarm Systems), reference FIPS 140 for secure communication between devices. Finally,
FIPS 140 is an excellent method of verifying and distinguishing your product’s data
security features.
Why UL?
Founded in 1894, UL has been a leader in product testing and certification for over
100 years. As such, UL has the ability not only to conduct cryptographic module and
algorithm investigations, but to evaluate products to multiple safety and performance
standards in parallel with FIPS 140 investigations.
For additional information, please contact [email protected].
What services does
UL offer?
UL offers the following services
associated with FIPS module
and algorithm investigations:
• Product evaluation
• Product testing
• Preliminary investigation /
gap analysis
• Compliance consulting
Useful Links
Cryptographic Module Validation Program
NIST CMVP Website <http://csrc.nist.gov/groups/STM/cmvp/index.html>
Module Validation List <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm>
Module-In-Process List <http://csrc.nist.gov/groups/STM/cmvp/inprocess.html>
Cryptographic Algorithm Validation Program
NIST CAVP Website <http://csrc.nist.gov/groups/STM/cavp/index.html>
Algorithm Validation Lists <http://csrc.nist.gov/groups/STM/cavp/validation.html>
Standards
FIPS 140-2 Standard <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>
FIPS 140-2 Derived Test Requirements <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402DTR.pdf>
FIPS 140-2 Implementation Guidance <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf>
For additional information, please contact [email protected].
UL and the UL logo are trademarks of UL LLC © 2015, NG-0390 03/15