FIPS Standard
• the cryptographic module shall be contained within a strong enclosure such that attempts at removal
or penetration of the enclosure will have a high probability of causing serious damage to the module
(i.e., the module will not function).
SECURITY LEVEL 4
In addition to the requirements for Security Levels 1, 2, and 3, the following requirements shall apply to
multiple-chip standalone cryptographic modules for Security Level 4.
• The potting material or enclosure of the cryptographic module shall be encapsulated by a tamper
detection envelope, by the use of tamper detection mechanisms such as cover switches (e.g.,
microswitches, magnetic Hall effect switches, permanent magnetic actuators, etc.), motion detectors
(e.g., ultrasonic, infrared, or microwave), or other tamper detection mechanisms as described above
for multiple-chip embedded cryptographic modules. The tamper detection mechanisms shall detect
tampering by means such as cutting, drilling, milling, grinding, or dissolving of the potting material
or enclosure, to an extent sufficient for accessing plaintext secret and private cryptographic keys
and CSPs.
• The cryptographic module shall contain tamper response and zeroization circuitry that shall
continuously monitor the tamper detection envelope and, upon the detection of tampering, shall
immediately zeroize all plaintext secret and private cryptographic keys and CSPs. The tamper
response and zeroization circuitry shall remain operational when plaintext cryptographic keys and
CSPs are contained within the cryptographic module.
4.5.5 Environmental Failure Protection/Testing
The electronic devices and circuitry are designed to operate within a particular range of environmental
conditions. Deliberate or accidental excursions outside the specified normal operating ranges of voltage
and temperature can cause erratic operation or failure of the electronic devices or circuitry that can
compromise the security of the cryptographic module. Reasonable assurance that the security of a
cryptographic module cannot be compromised by extreme environmental conditions can be provided by
having the module employ environmental failure protection (EFP) features or undergo environmental
failure testing (EFT).
For Security Levels 1, 2, and 3, a cryptographic module is not required to employ environmental failure
protection (EFP) features or undergo environmental failure testing (EFT). At Security Level 4, a
cryptographic module shall either employ environmental failure protection (EFP) features or undergo
environmental failure testing (EFT).
4.5.5.1 Environmental Failure Protection Features (Alternative 1)
Environmental failure protection (EFP) features shall protect a cryptographic module against unusual
environmental conditions or fluctuations (accidental or induced) outside of the module's normal operating
range that can compromise the security of the module. In particular, the cryptographic module shall
monitor and correctly respond to fluctuations in the operating temperature and voltage outside of the
specified normal operating ranges.
The EFP features shall involve electronic circuitry or devices that continuously measure the operating
temperature and voltage of a cryptographic module. If the temperature or voltage fall outside of the
cryptographic module's normal operating range, the protection circuitry shall either (1) shutdown the
module to prevent further operation or (2) immediately zeroize all plaintext secret and private
cryptographic keys and CSPs.
Documentation shall specify the normal operating ranges of a cryptographic module and the environmental
failure protection features employed by the module.
26