What is FIPS 140-2?

Certified by NIST/CSEC’s Cryptographic Module Validation Program

What is FIPS 140-2 Compliance?

In 2001, NIST‘s Federal Information Processing Standard (FIPS) publication 140-2 established a security standard for cryptographic modules used by the U.S. federal government in the collection, storage, transfer, sharing and dissemination of sensitive information. Most federal agencies and regulated industries must comply with the FIPS 140-2 standard by law, and all products sold to the federal government that use cryptographic modules must be FIPS 140-2 validated.

What Organizations Require FIPS-Compliant File Transfer?

The organizations below are required to use FIPS-compliant cryptography by law:

• U.S. federal and state government agencies that deal with citizens’ private information
• The U.S. military and its vendors working with sensitive but unclassified data
• Vendors, suppliers and third parties selling cryptographic modules to the federal government or using these modules in support of their services

Industries that deal with sensitive data requiring high levels of privacy for regulatory or security reasons will often require the FIPS 140-2 standard as well. These industries include:

• Financial institutions
• Information-processing vendors
• Healthcare-related organizations that fall under HIPAA regulation
• Educational institutions
• Utilities

However, the FIPS 140-2 standard can be used any organization that wishes to transfer files securely, safeguard business data, and protect its most critical information.

What Does it Mean to be FIPS 140-2 Compliant?

A FIPS-validated solution must use cryptographic algorithms and hash functions that meet the FIPS requirements. Specifically, a FIPS-validated solution must:

1. Use algorithms and hash functions approved under FIPS 140-2 requirements
2. Be validated by the joint NIST/CSEC Cryptographic Module Validation Program (CMVP)

Cerberus FTP Server Editions