FIPS 140–2: How it Evolved and Why It’s Important for Security

What is FIPS and Who is it For?

The Evolution of FIPS 140

The Prequel: FIPS 140–1

  • Level 1 — All components must be “production-grade”
  • Level 2 — Security systems must meet requirements for physical tamper detection and response in case an attacker obtains physical access to the cryptographic module.
  • Level 3 — Security systems must also be tamper-resistant — i.e., make it physically difficult to physically access sensitive information in the module, preventing an attack in the first place. They must also use identity-based authentication systems and involve separation between cryptographic key interfaces.
  • Level 4 — The physical security requirements of the module are strictest and must be accident/disaster-proof.
  1. What information must be documented
  2. What information flows in and out, and how it’s partitioned
  3. Who holds what roles in terms of data authentication, and the authentication process itself
  4. Documentation of the high-level states the security module may be in, and how transitions occur between those states
  5. Physical security — tamper evidence and resistance, as noted in the “levels” section above
  6. The operating system the module uses and interfaces with
  7. Cryptographic key management — generating, storing, and using keys
  8. Electromagnetic integrity and compatibility
  9. Tests and test procedures
  10. Documentation to support the design quality of the module
  11. Whether or not the module can mitigate other attacks, and descriptions of how it mitigates those attacks.

FIPS 140–2: Cryptography, 2001

  • Strengthening the requirements for secure authentication
  • More coverage of the ports and interfaces for a secure design and implementation of a cryptographic module
  • Updates to physical security requirements
  • Electromagnetic interference/electromagnetic compatibility (EMI/EMC); and
  • Mitigation of attacks which had not existed at the time FIPS 140–1 was released.

The Future of FIPS 140

How FIPS is Perceived

What FIPS Does Not Secure

  • Whether or not a cryptographic key security module eliminates the single point of failure in a key management system.
  • Key control and protection in external IT environments, e.g., “as-a-Service” models.
  • Policy regulation and governance across the entire cryptographic key management system — an important requirement for compliance in several industries that may supersede FIPS in some cases (e.g., in custodial situations in the financial sector); and
  • Crypto-agility and future-readiness — whether a cryptographic key management system is post-quantum ready, whether it can easily be updated for new system types, information types, cryptographic curves, or types of threats.



Content manager. Recovering reporter. Coffee enthusiast and chronic reader.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tova Dvorin

Tova Dvorin


Content manager. Recovering reporter. Coffee enthusiast and chronic reader.