The U.S. National Institute of Standards and Technology (NIST) sets rules for cybersecurity. This is required by law. These rules are called Federal Information Processing Standards (FIPS). Each one is given a number and has a specific purpose. FIPS 140-2 gives rules for cryptographic modules that use hardware or software. Its goal is to protect federal data and offer a way to test security tools. This helps groups check if their tools meet FIPS rules.
Many systems, like file transfer protocol (FTP) or managed file transfer (MFT) servers, follow FIPS 140-2 by default. This standard will soon be replaced by FIPS 140-3. Groups that work with federal data must use FIPS-approved tools. That includes federal agencies, contractors and some state offices. Testing labs give certificates to tools that pass the review.
FIPS 140-2 security levels
FIPS 140-2 defines four distinct security levels, each with specific technical and operational requirements. These levels help classify cryptographic modules based on the degree of protection they provide.
- Level one: It requires basic encryption with at least one approved algorithm. No physical security mechanisms are required.
- Level two: It adds tamper-evidence and role-based authentication. Physical security features include locks or seals to detect unauthorized access.
- Level three: It introduces tamper-resistance and identity-based authentication to protect cryptographic keys against compromise even if the device is physically accessed
- Level four: It offers the highest level of protection with physical tamper detection and response. It’s designed to resist environmental attacks and unauthorized physical access.
These levels provide organizations with options that match their security requirements for various data sensitivity levels.
FIPS 140-2 compliance
FIPS 140-2 compliance refers to the use of systems that have had their encryption modules independently validated through NIST’s Cryptographic Module Validation Program (CMVP).
To achieve FIPS 140-2 validation, cryptographic systems must feature:
- Access control: Systems should restrict access based on user roles or identities.
- Audit logging: They must track events like access attempts and setting changes.
- Key management: Keys need to be created, stored and destroyed using strict rules.
- Self-tests: Modules must perform checks at startup and during operation.
- Validated algorithms: Only approved encryption methods and key sizes are allowed.
Validated FTP and MFT servers like Cerberus by Redwood will generally have a FIPS mode that automatically upgrades encryption cryptography to the required levels for secure file transfer.
Benefits of FIPS 140-2
FIPS 140-2 provides organizations with clear standards of cryptographic security that must be met, along with validation that the tools they use to do so will meet the required standard.
While not required for all file transfers, using FIPS 140-2 validated encryption ensures that you meet a high level of third-party validated data protection.
Other benefits of using a FIPS 140-2 compliant file transfer solution are:
- Procurement efficiency: Simplifies approval of your solution for use in government or enterprise environments
- Reduced risk: Lowers the chance of using unverified or weak cryptographic methods
- Regulatory alignment: Serves as a strong standard across regulations in the federal government, healthcare and financial services sectors
- Trusted encryption: Validates that your solution will use the most secure standards in widespread use
- Vendor accountability: Ensures that components of your solution or your providers have been independently audited for compliance
These benefits support consistent, standards-based encryption across file transfer operations.
FIPS 140-2 FAQs
FIPS 140-2 is a data security rule from the U.S. government. It explains how encryption must work for systems that handle sensitive but unclassified federal data. All federal agencies must follow it. Anyone who works with federal data must also use it. That includes state workers who manage federal programs and private contractors.
The standard gives rules for encryption tools and how keys are stored. It also sets rules for user access and physical security. A testing program checks if encryption tools meet these rules. Only tested tools can be certified under FIPS 140-2.
<What is FIPS 140-2, and is it right for me?>
To check your solution’s FIPS 140-2 compliance, look for the cryptographic module in NIST’s CMVP database. A validated module will have a certificate number. It will also show the vendor, module name, version and security level.
Read the module’s security policy to see what was validated. Make sure that the certificate matches the software or hardware version in use. Only modules tested by an NVLAP-accredited lab count as compliant.
<What is FIPS compliance? How does it affect secure file transfer?>
FIPS 140-2 is a government rule set that details how to build and check cryptographic hardware and software modules.
The Advanced Encryption Standard (AES) is a type of encryption algorithm that can be used to meet some of FIPS 140-2’s requirements for data security.
<Six common questions about encrypted file transfer>
FIPS 140-2 and FIPS 140-3 are both standards from NIST that define how cryptographic modules must be built and tested. FIPS 140-2 will be deprecated in September of 2026 and will be fully replaced by FIPS 140-3, which has been in the market since 2020 and began issuing validation certificates at the end of 2022.
FIPS 140-3 makes a number of changes to the FIPS requirements and testing processes, including:
– Changing testing procedures so that the pre-operational self-test (POST) and the conditional algorithm self-test are required, with the POST focusing on memory integrity
– Extending testing and validation to hybrid modules that are not purely software or hardware-based
– Requiring MFA for level four authentication
– Upgrading the bit length required for block ciphers and digital signatures
<Difference between FIPS 140-2 and 140-3>
