FIPS 140: Security Requirements for Cryptographic Modules

FIPS 140 is the de-facto standard to certify cryptography implemented in ICT products.

 For vendors, a successful FIPS 140 validation can be essential to selling their products in US and international markets. FIPS 140 has also proliferated into other verticals, like healthcare (HIPAA) and the financial industry. Intertek’s experienced Cryptographic Module Validation Program (CMVP) accredited laboratories can help you understand and navigate the process to ensure a successful validation.

Working with Intertek

We seek to engage early on and adopt risk mitigating processes whereby non-compliance is identified early on, fixes are discussed and planned, testing methodology is defined in advance to allow your teams to plan accordingly and schedule is tracked religiously to ensure our progress is in step with your development and test plans.

We have leveraged our considerable experience in FIPS 140 validation to develop custom tools and processes to offer a best-of-breed certification experience to our clients.

For vendors, a successful FIPS 140-3 validation can be essential to selling their products in US and international markets:

  • In the U.S., the DoD and NIAP NSTISSP No. 11 require FIPS 140 validation for cryptographic modules used by federal government agencies to store, transmit or protect sensitive, but unclassified information (see section 3.2 of the FIPS 140-3 FAQ for details).
  • In Canada, the CSEC recommends federal agencies use FIPS 140 validated cryptographic modules to secure data designated as Protected A or Protected B.
  • In the U.K., the Communications-Electronics Security Group (CESG) recommends the use of FIPS 140 validated cryptographic modules.

 FIPS-140-2 Validation Timeline



FIPS 140 Algorithm Testing

Algorithm testing is an important step for the FIPS module validation process. While it is the most objective part of the validation process, it does not require specialized tools or skills to execute.

Service Offerings:

Educate vendor on the Cryptographic Module Validation Program (CMVP), FIPS, and identify requirements that need to be met in order to support testing of the cryptographic module.
Discuss requirements needing to be met and if the module under consideration is likely to pass analysis and conformance to those requirements.
Work with vendor to collect already existing information from the developer and put it in documents for our lab to carry out analysis and testing.
Execute algorithm tests and develop functional and physical tests of product conformance to FIPS requirements.
Monitor changes to the validation program requirements and provide updates to vendors on changes to the program or standard through implementation guidance issues by CMVP.
Need help or have a question? +852 3008 2099

Need help or have a question?

+852 3008 2099
+852 3008 2099