What is FIPS 140-2?
The FIPS 140-2 standard is an information technology security accreditation program for cryptographic modules produced by private sector vendors. U.S. government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive information require the use of FIPS 140-2 validated cryptography in the products they use.
FIPS 140-2 was first published in 2001 by the U.S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. NIST works to establish various standards that the U.S. military and various government agencies must abide by. Vendors, contractors, and any organization working with government or military must comply with FIPS as well.
What Types of Organizations Require FIPS?
Federal and state government agencies that deal with citizens’ private information are frequently required to abide by FIPS. The military and its vendors must also comply to protect sensitive national-security information. Other examples typically include organizations that require high levels of privacy, including financial institutions, information-processing vendors, healthcare-related vendors, educational institutions, and utilities.
However, the FIPS standard is still relevant to companies that may not be required to comply with government encryption regulations. The FIPS standard is appropriate for just about any organization that wishes to transfer files securely, safeguard business data, and protect its most critical information.
What Does it mean to be FIPS 140-2 compliant?
A FIPS-validated solution must use cryptographic algorithms and hash functions approved by FIPS. Specifically, a FIPS-validated solution must:
- Use algorithms and hash functions approved by FIPS 140-2
- Be validated by the Cryptographic Module Validation Program (CMVP)
The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).
FIPS 140-2 Cryptography for Cerberus FTP Server
Cerberus FTP Server uses an embedded FIPS 140-2-validated cryptographic module (Certificate #3503 using KeyPair FIPS Object Module for OpenSSL) for all cryptographic operations and meets federal cryptographic requirements with FIPS 140-2 validated cryptography up to 256-bit AES encryption over SSL and SSH.
For more information you can also see our article on how to Ensure HIPAA Compliance on Your FTP/SFTP/FTPES Server on our blog.