Author: Kevin Burbank

In the first post of this encryption series, I explained what Controller-based Encryption (CBE) is and gave an overview of the FIPS validation process.  Now, I want to explore the Federal Information Processing Standards 140 (FIPS 140-2) validation levels and their requirements.

FIPS 140-2 Validation Levels
There are 11 areas related to the design and implementation of a cryptographic module, each of which receives a security level rating from 1 (lowest) to 4 (highest).

The cryptographic module also receives an overall security level rating, which is equal to the minimum rating given to any of the 11 individual areas.

It’s important to remember that the overall rating of a cryptographic module is not necessarily the most important rating. Depending on the environment in which the cryptographic module will be implemented, the rating of one specific area may be more important to you and your users than the overall rating.

There are a few things to consider when deciding which rating level to pursue for your product:

1. Customer/end user requirements: What rating levels do your customers need? Many end users only require FIPS 140-2 validation, but some agencies have stricter requirements.
2. Competitive landscape: If your competitors are validated at Level 2, then a Level 1 validation may not be practical. Conversely, a Level 3 validation could give you a competitive advantage.
3. Product design: Sometimes product features or capabilities will prohibit testing at higher levels. For example, if your cryptographic module does not support identity-based authentication, then it cannot be tested at Level 3 for Roles, Services, and Authentication and therefore cannot achieve Level 3 overall.
4. Cost and time: In general, the higher the validation level you pursue, the more money and time it will take to get through the validation process.

FIPS 140-2 Security Requirements
This table lists the security requirements for the four levels of validation in each of the 11 design and implementation areas.

In my final post in this three-part series, I’ll have some important tips for those who are interested in submitting their cryptographic module assemblies for FIPS validation.