Understand FIPS 140-2 and 140-3
Federal Information Processing Standards (FIPS) 140 are U.S. government criteria that provide a benchmark for the security of cryptographic modules. Both government and commercial sectors leverage these standards to ensure the secure handling of sensitive data.
TrustCore SDK compliance with FIPS 140-2/3
TrustCore SDK NanoCrypto maintains active NIST FIPS 140-2 certification (certificates #4298 and #4299) and FIPS 140-3 certification (interim certificates #4761, #4818)*1.
*1 Final FIPS 140-3 certificates pending.
FIPS compliance requirements
US federal agencies (both civilian and military) are required by law to use FIPS 140-certified cryptographic modules. Additionally, government procurement policies mandate that commercial products obtain FIPS 140-3 certification specific to their operating environment. This certification requirement is standard in most federal RFPs and necessary for government contract eligibility.
FIPS validation as a service
DigiCert's FIPS Validation as a Service offering provides end-to-end support for achieving FIPS 140 certification. Our service streamlines the complex validation process, from initial assessment through final certification. Contact DigiCert® Sales for detailed information on certification requirements and timelines.
Migration and future-proofing support
FIPS 140-2 to 140-3 migration: TrustCore SDK includes migration tools and documentation to facilitate the transition from FIPS 140-2 to 140-3 standards. Our validation service provides guidance throughout the upgrade process.
Post-Quantum Cryptography (PQC) readiness: TrustCore SDK supports quantum-resistant algorithms, including ML-KEM (FIPS-203) and ML-DSA (FIPS-204). DigiCert® is currently pursuing FIPS 140-3 certification for these post-quantum algorithms to ensure continued compliance as cryptographic standards evolve.
FIPS 140-2: Established framework
FIPS 140-2, introduced in 2001, has served as a cornerstone in cryptographic module security, laying out stringent requirements across four levels of security, ensuring varying degrees of data protection suitable for different scenarios:
Security Level 1 Ensures basic security for general applications.
Security Level 2 Adds role-based authentication to prevent unauthorized access.
Security Level 3 Enhances protections for module identity and authentication data.
Security Level 4 Provides the highest degree of security against environmental and physical attacks.
FIPS 140-3: Next-Gen security
In 2019, FIPS 140-3 was introduced to keep up with evolving security demands, setting the stage for more robust protection mechanisms and reinforcing the relevance of FIPS standards in the face of advanced threats:
Security Level 1 Maintains basic security principles.
Security Level 2 Introduces tamper-evidence for enhanced physical security.
Security Level 3 Strengthens defenses against complex algorithmic attacks.
Security Level 4 Ensures comprehensive protection against high-level assault attempts.
Importance of FIPS validation
While FIPS standards are a government mandate, their influence extends far beyond, with many private and commercial organizations adopting them for improved trust, security, and regulatory advantages.
Defense Contractors Protecting national security information through encrypted communications and data storage.
Healthcare Providers Safeguarding patient information and ensuring the confidentiality and integrity of medical records.
Financial Institutions Securing financial transactions and sensitive customer data against fraud and breaches.
Cloud Service Providers Offering FIPS-validated cryptographic modules to clients who require compliance for their services.
Additional resources
Explore the following resources for a deeper understanding of FIPS 140-2 and 140-3: