FIPS – US Cryptographic Testing Standard


Common Criteria does not address the validation of cryptographic implementations and algorithms. Individual countries have different standards for evaluating and assuring cryptographic implementations.
FIPS 140-2 is one such security standard for cryptographic implementations that the governments of United States and Canada jointly developed and use. Many other countries are also recognizing the FIPS 140-2 certification. The FIPS 140-2 standard refers to a NIST Federal Information Processing Standard entitled Security Requirements for Cryptographic Modules. This standard is a joint program between the United States and Canadian government. In the United States, both Common Criteria and FIPS 140-2 certification can be required in order to sell an Information Assurance (IA) product to the US government.

This presentation will introduce the FIPS 140-2 program, the type of products that could be FIPS certified and compare the Common Criteria and the FIPS 140-2 standards. Similarities and differences of the two programs will be discussed. These include levels of certification, details of required evidence, effort, and cost and time line. The presentation will include a comparative study of FIPS process and Common Criteria process in the United States.

In order to sell the product to the United States government organization, vendors are mandated to comply with FIPS 140-2 for cryptographic modules. This presentation will be useful to vendors targeting the United States Government sector in deciding if they will require a FIPS certification (along with the Common Criteria certificate) and the effort, time and cost involved.