FIPS Validated Encryption

FIPS 140-2 is the current (soon to be revised to FIPS 140-3) NIST encryption standard for government agencies protecting sensitive but unclassified information.

NIST operates a Cryptographic Module Validation Program (CMVP) that offers testing of encryption (cryptographic modules) in products to ensure they are compliant with the FIPS standard. This testing involves not only which encryption algorithm is being used (this is usually AES), but also measures of how it is implemented and how the device is hardened against penetration attempts. Once a cryptographic module has passed the NIST certified testing, it is issued a validation certificate and notice is posted online at NIST.

Cryptographic Module Validation Program (CMVP) – []

[It is worth noting that many products claim to use “FIPS certified encryption” simply because they are using the AES encryption algorithm, but this is far short of having completed the FIPS validation testing that is required.]

FISMA, FIPS, and NIST SP 800-53 security controls, taken together, create a requirement for federal agencies that need to protect sensitive information to use FIPS validated encryption to accomplish that purpose. This requirement can not be waived. NIST states that any cryptographic module that has not completed the FIPS validation process is to be considered “no protection”, or the same thing as simply storing the data in plain text.


Comments are closed.