FIPS Standard

1. OVERVIEW

This standard specifies the security requirements for a cryptographic module utilized within a security

system protecting sensitive information in computer and telecommunication systems (including voice

systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996,

Public Law 104-106.

FIPS 140-1 was developed by a government and industry working group composed of both operators and

vendors. The working group identified requirements for four security levels for cryptographic modules to

provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds

transfers, and life protecting data) and a diversity of application environments (e.g., a guarded facility, an

office, and a completely unprotected location). Four security levels are specified for each of 11

requirement areas. Each security level offers an increase in security over the preceding level. These four

increasing levels of security allow cost-effective solutions that are appropriate for different degrees of data

sensitivity and different application environments. FIPS 140-2 incorporates changes in applicable

standards and technology since the development of FIPS 140-1 as well as changes that are based on

comments received from the vendor, laboratory, and user communities.

While the security requirements specified in this standard are intended to maintain the security provided by

a cryptographic module, conformance to this standard is not sufficient to ensure that a particular module is

secure. The operator of a cryptographic module is responsible for ensuring that the security provided by

the module is sufficient and acceptable to the owner of the information that is being protected, and that any

residual risk is acknowledged and accepted.

Similarly, the use of a validated cryptographic module in a computer or telecommunications system is not

sufficient to ensure the security of the overall system. The overall security level of a cryptographic module

must be chosen to provide a level of security appropriate for the security requirements of the application

and environment in which the module is to be utilized and for the security services that the module is to

provide. The responsible authority in each organization should ensure that their computer and

telecommunication systems that utilize cryptographic modules provide an acceptable level of security for

the given application and environment.

The importance of security awareness and of making information security a management priority should be

communicated to all users. Since information security requirements vary for different applications,

organizations should identify their information resources and determine the sensitivity to and the potential

impact of losses. Controls should be based on the potential risks and should be selected from available

controls, including administrative policies and procedures, physical and environmental controls,

information and data controls, software development and acquisition controls, and backup and contingency

planning.

The following sections provide an overview of the four security levels. Common examples, given to

illustrate how the requirements might be met, are not intended to be restrictive or exhaustive.

The location of Annexes A, B, C, and D can be found in APPENDIX D: SELECTED BIBLIOGRAPHY.

1.1 Security Level 1

Security Level 1 provides the lowest level of security. Basic security requirements are specified for a

cryptographic module (e.g., at least one Approved algorithm or Approved security function shall be used).

No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond

the basic requirement for production-grade components. An example of a Security Level 1 cryptographic

module is a personal computer (PC) encryption board.