FIPS Validated vs FIPS Compliant, What's The Difference?


A lot of companies are saying they are FIPS 140-2 compliant. This is not the same as saying they are FIPS 140-2 certified or validated. The differences are important to recognize.

FIPS 140-2 calls out the specific security requirements for a cryptographic module utilized in a security system and is published by the U.S. National Institute of Standards and Technologies (NIST). It is a security standard that is recognized by the U.S. and Canadian governments. It is also recognized by the European Union.

The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. For example, Level 3 ensures that the code is within a tamper-proof container so that.keys used in the cryptography are destoryed if the device is physically compromised.

To be FIPS 140-2 certified or validated, the software (and hardware) must be independently validated by one of 13 NIST specified laboratories. The process takes weeks. Sometimes the software fails and must be fixed and then the testing process repeated. This takes time and money.

When software code changes, FIPS requires that code be re-validated to make sure that errors have not been introduced. It is important to note which specific versions of a FIPS 140-2 product have been validated, and which have not.

Some companies take a shortcut and simply say they are FIPS compliant instead. Compliant means some but not all of the product has been FIPS validated. Therefore you can have products on the market that might have third-party FIPS validated software and components, but the overall product is itself  not FIPS validated. The vendor will say "Our FIPS- enabled XYZ product uses a PQR product, which is FIPS validated," but you have to read the fine print.

Why is this important?

It's better to have FIPS validated product than to have a Frankenstein's monster of some FIPS validated and some not FIPS validated software. The security weakness is in the gaps. Caveat emptor.

Whitepaper: Mocana MAP App Level VPN