FIPS Standard
e. FIPS PUB 171, Key Management Using ANSI X9.17.
f. FIPS PUB 180-1, Secure Hash Standard.
g. FIPS PUB 186-2, Digital Signature Standard.
h. Special Publication 800-2, Public Key Cryptography.
i. Special Publication 800-20, Modes of Operation Validation System for the Triple Data Encryption
Algorithm (TMOVS): Requirements and Procedures
These documents may be found at the CMVP URL http://www.nist.gov/cmvp
. Other NIST publications
may be applicable to the implementation and use of this standard. A list (NIST Publications List 91) of
currently available computer security publications, including ordering information, can be obtained from
NIST.
7. Applicability. This standard is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems (including voice
systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996,
Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules
that Federal departments and agencies operate or are operated for them under contract. Cryptographic
modules that have been approved for classified use may be used in lieu of modules that have been validated
against this standard. The adoption and use of this standard is available to private and commercial
organizations.
8. Applications. Cryptographic-based security systems may be utilized in various computer and
telecommunication applications (e.g., data storage, access control and personal identification, network
communications, radio, facsimile, and video) and in various environments (e.g., centralized computer
facilities, office environments, and hostile environments). The cryptographic services (e.g., encryption,
authentication, digital signature, and key management) provided by a cryptographic module are based on
many factors that are specific to the application and environment. The security level to which a
cryptographic module is validated must be chosen to provide a level of security appropriate for the security
requirements of the application and environment in which the module will be utilized and the security
services that the module will provide. The security requirements for a particular security level include both
the security requirements specific to that level and the security requirements that apply to all modules
regardless of the level.
9. Specifications. Federal Information Processing Standard (FIPS) 140-2, Security Requirements for
Cryptographic Modules (affixed).
10. Implementations. This standard covers implementations of cryptographic modules including, but not
limited to, hardware components or modules, software/firmware programs or modules or any combination
thereof. Cryptographic modules that are validated under the CMVP will be considered as conforming to
this standard. Information about the CMVP can be obtained from the
a. National Institute of Standards and Technology, Information Technology Laboratory, 100 Bureau
Drive, Stop 8900, Gaithersburg, MD 20899-8900.
b. Communications Security Establishment, ITS Client Services, 1500 Bronson Ave., Ottawa, ON
K1G 3Z4.
c. CMVP URL http://www.nist.gov/cmvp
.
11. Approved Security Functions. Cryptographic modules that conform to this standard shall employ
Approved security functions such as cryptographic algorithms, cryptographic key management techniques,
and authentication techniques that have been approved for protecting Federal government sensitive
information. Approved security functions include those that are either:
a. specified in a Federal Information Processing Standard (FIPS),
b. adopted in a FIPS and specified either in an appendix to the FIPS or in a document referenced by
the FIPS, or
c. specified in the list of Approved security functions.
iv