What is FIPS 140-2?

FIPS 140-2, or the Federal Information Processing Standard Publication 140-2, is a US government security standard used to approve cryptographic modules. In this post, we'll explore the reasons why companies may need to comply with FIPS 140-2 and the different security levels outlined by the standard.

Why use FIPS 140-2?

Companies may need to comply with FIPS 140-2 if they work with U.S. government agencies, as FIPS 140-2 is often a requirement for vendors supplying cryptographic products to the U.S. government. Additionally, some industries such as healthcare and financial services, may have their own regulatory requirements that mandate compliance with FIPS 140-2 or other security standards.

You may have heard of FIPS 140-2 if:

  • You have used or looked into a Managed File Transfer solution
  • You work in a cybersecurity-related field
  • You work for a company that needs to comply with regulatory requirements related to data security, such as the financial or healthcare industries.

So is MOVEit FIPS 140-2 validated?

MOVEit holds a current FIPS 140-2 certificate that can be found here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1363

This certificate covers both MOVEit Transfer and MOVEit Automation. Both applications utilise FIPS validated AES and SHA-1 for encryption.  MOVEit Transfer and MOVEit Automation utilises FIPS-validated encryption for HTTPS, FTP commands, and data stream encryption. MOVEit Automation also utilises FIPS-validated encryption for the encryption of configuration files and for HTTP, HTTPS, and FTP integrity checking.

Diving a little deeper

FIPS 140-2 or Federal Information Processing Standard Publication 140-2 is a US government security standard used to approve cryptographic modules. The National Institute of Standards and Technology (NIST) introduced the FIPS 140 publication series to ensure the requirements and standards for cryptography modules, including hardware and software. The standard provides four levels of security that will cover a wide range of potential applications and environments.

Federal agencies and departments can validate that the module in use is covered by an existing FIPS 140-1 or FIPS 140-2 certificate. This certificate will need to list the exact model name, hardware, software, firmware and applet version number.

The four levels in FIPS 140-2 are named “level 1” to “level 4”. FIPS 140-2 does not specify what level of security an application needs. The definition of these levels are:

Level 1

Security level 1 provides the lowest level of security. Basic security requirements are specified for a cryptographic module, such as at least one approved algorithm will be used. No specific physical security mechanisms are required for security level 1. An example of a Security Level 1 cryptographic module is a personal computer encryption board.

Level 2

Security level 2 improves on the physical security of level 1 by requiring features that have evidence of tampering. This could be tamper-evident coating or seals that need to be broken to get physical access to the plaintext cryptographic keys and critical security parameters (CSP) within the module. This could also be locks on the covers of the module or doors that are pick resistant to help protect against physical access.

Level 3

In addition to the tamper-evident physical security mechanisms required by level 2, level 3 attempts to stop an intruder from gaining access to the CSP within the module. The physical security mechanisms in level 3 may include strong enclosures and tamper detection that will delete all plaintext CSP’s when the covers or doors to the module are opened.

Level 4

Security Level 4 is the highest level of security. At this stage, the physical security provides complete protection around the cryptographic module with the intent of detecting all unauthorised attempts to the physical device. Unauthorised access to the cryptographic module from any direction has a very high probability of being detected and all plaintext CSP’s will be deleted. At Security Level 4 a cryptographic module is required to have either special environmental protection features that will detect fluctuations and delete CSP’s or to have rigorous environmental failure testing to provide assurance that the module will not be affected by fluctuations outside of the normal operating range. If the module is out of this range all CSP’s will be deleted.