New standard set for security

FIPS 140-2 site

The Commerce Department has formally approved the new standard for the minimum level of cryptography in federal security products, replacing a standard that had been in effect for seven years.

With the approval June 27, security products used by agencies for sensitive, unclassified information must be certified under the National Institute of Standards and Technology's Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules.

The new FIPS 140-2 standard, which replaces the 140-1 standard from 1994, goes into effect Nov. 25.

FIPS 140-2 covers four increasing levels of security, to encompass a range of applications:

* Security Level 1 specifies basic security, such as a PC encryption board.

* Security Level 2 adds physical security to Level 1 products by requiring tamper-evident coatings or seals, or pick-resistant locks. It also requires role-based authentication of users and that operating systems meet the new Common Criteria Controlled Access Protection Profile.

* Security Level 3 strengthens physical security, requires identity-based authentication, and requires physical separation of data ports. There are also additional levels of Common Criteria requirements.

* Security Level 4 builds on all of the other requirements, as well as the ability to electronically erase information if the environmental conditions around the module change dramatically or if there are drastic fluctuations in the module's operating ranges.

NIST maintains a list of vendors and modules with FIPS 140-1 and 140-2 validation on its Web site.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.