FIPS 140-2 Validated Encryption CMMC

What is FIPS 140-2?

What is FIPS 140-2? Why was it created? Which encryption algorithms are FIPS 140-2 compliant?

Join our newsletter:

What is FIPS 140-2?

Created by the National Institute of Standards and Technology, the Federal Information Processing Standards Publication (FIPS) 140-2, “Security Requirements for Cryptographic Modules”, specifies the requirements an cryptographic algorithm must meet to be used to protect sensitive information on computer systems.

Why Was FIPS 140-2 Created?

The U.S. government needed to ensure that the encryption algorithms it was using were capable of protecting sensitive information. FIPS 140-2 listed requirements that cryptographers needed to meet to have their algorithms validated by the Cryptographic Module Validation Program (CVMP). Under FIPS 140-2, encryption algorithms can be validated at four different security levels.

What are the FIPS 140-2 Levels?

FIPS 140-2 has four levels of security: Level 1, Level 2, Level 3, and Level 4. The higher the level the more secure the more security is provided. FIPS 140-2 specifies the differences between these levels in depth however the below image provides a good overview.
FIPS 140-2 Levels Chart

What are the FIPS 140-2 Requirements?

FIPS 140-2 security requirements encompass eleven areas. These areas include the following:
  • 1. Cryptographic Module Specification
  • 2. Cryptographic Module Ports and Interfaces
  • 3. Roles, Services, and Authentication
  • 4. Finite State Model
  • 5. Physical Security
  • 6. Operational Environment
  • 7. Cryptographic Key Management
  • 8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
  • 10. Design Assurance
  • 11. Mitigation of Other Attacks

Common FIPS 140-2 Compliant Algorithms

  • Advanced Encryption Standard (AES)
  • Triple-DES Encryption Algorithm (TDEA)
  • Digital Signature Standard (DSS)
  • Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
  • HMAC
  • SHA-3

What is the Cryptographic Module Validation Program (CMVP)?

The CVMP is available to any vendors who seek to have their products certified for use by the U.S. Government and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate "sensitive, but not classified" information. Vendors seeking certification for their products have the tests completed by accredited third-party laboratories.
Modules that have passed these tests can be found in the CVMP database.

FIPS 140-2 to be Replaced by FIPS 140-3

Testing of cryptographic modules against FIPS 140-2 will end on September 22, 2021 and will be replaced by FIPS 140-3.

FIPS 140-2 Validated Cryptography CMMC

With CMMC anything that needs to be encrypted including both data at rest and in transit should be encrypted using FIPS validated encryption alogorithms. If you are seeking a CMMC level 3 or higher certification then this is certainly the case (see CMMC practice SC.3.177)



Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.