| Q. |
What is FIPS 140? |
| A. |
Federal Information Processing Standard 140-2 (FIPS 140-2) and its predecessor FIPS 140-1 are U.S. government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system. |
| |
| Q. |
Who administers the FIPS 140 evaluation process? |
| A. |
Evaluation is administered by the Cryptographic Module Validation (CMV) Program of the National Institute of Standards and Technology's (NIST) in the United States and the Communications Security Establishment (CSE) in Canada. The CMV program was established in July of 1995. All of the tests under the CMV program are handled by third-party accredited laboratories. |
| |
| Q. |
What is the difference between FIPS 140-1 and FIPS 140-2? |
| A. |
FIPS 140-1, defining the security requirements for cryptographic modules, went into effect on January 4, 1994. These requirements were updated in 2001, and the FIPS 140-2 standard was published. In May of 2002, NIST CMV started accepting validation test reports for cryptographic modules against FIPS 140-2 only.
FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. |
| |
| Q. |
What are the requirements for getting a FIPS 140 validation? |
| A. |
Security requirements cover 11 areas related to the design and implementation of a cryptographic module, including operating system security, software security, key management, cryptographic algorithms, and self testing. |
| |
| Q. |
What is the value of FIPS 140 validation? |
| A. |
FIPS 140 validation provides third-party confirmation that a cryptographic software implementation meets the highest possible standards. Reflection for Secure IT includes FIPS 140-2 validated cryptographic modules, and can be easily configured to operate in FIPS mode, consistent with the crypto module’s security policy. In this way, Reflection for Secure IT is set apart from competitive secure shell solutions, including many default implementations of OpenSSH, that have not been compiled with a FIPS-validated cryptographic module in accordance with its defined security policy. |
| |
| Q. |
What does FIPS 140 validation mean to the U.S. government? |
| A. |
FIPS 140-1 and FIPS 140-2 are two of a series of Federal Information Processing Standards Publications (FIPS PUBS) that have been issued by the U.S. government. FIPS PUBS are created by NIST (usually after a public comment period) and are issued after official approval by the U.S. Secretary of Commerce. FIPS PUBS are binding on U.S. government agencies (unless they are otherwise exempted from compliance), and products sold to the U.S. government often must comply with one or more of the FIPS PUBS standards. |
| |
| Q. |
What does FIPS 140 validation mean to nongovernmental organizations? |
| A. |
FIPS PUBS are not binding standards on individuals and organizations not associated with the U.S. government. However, many companies that do business with the U.S. government adopt FIPS PUBS standards for their own use. This may be because of contractual requirements or government regulations or simply because the companies decide that certain FIPS PUBS have value as standards for internal use. And the security community at large values products that have completed this evaluation, as it carries the blessing of an independent third party. |
| |
| Q. |
What FIPS validations does Reflection for Secure IT have? |
| A. |
Technically speaking, it is the cryptographic libraries used by Reflection for Secure IT products, not the products themselves, that are validated. The cryptographic software in Reflection for Secure IT has the FIPS 140-2, Level 1 validation, and the Reflection for Secure IT products can be configured to operate in FIPS mode, restricting the available algorithms to those approved for FIPS 140-2 operation. |
| |
| Q. |
Where can I see the FIPS validations for Reflection for Secure IT? |
| A. |
When choosing data security or cryptography-related products, users in the U.S. and Canadian federal governments are advised by NIST/CSE to refer to the FIPS 140-2 validation list. (see http://csrc.nist.gov/cryptval) |
| |