User guide
Chapter 7.
109
Federal Standards and Regulations
7.1. Introduction
In order to maintain security levels, it is possible for your organization to make efforts to comply with
federal and industry security specifications, standards and regulations. This chapter describes some of
these standards and regulations.
7.2. Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) Publicaton 140-2, is a computer security
standard, developed by a U.S. Government and industry working group to validate the quality of
cryptographic modules. FIPS publications (including 140-2) can be found at the following URL: http://
csrc.nist.gov/publications/PubsFIPS.html. Note that at the time of writing, Publication 140-3 is at Draft
status, and may not represent the completed standard. The FIPS standard provides four (4) security
levels, to ensure adequate coverage of different industries, implementations of cryptographic modules
and organizational sizes and requirements. These levels are described below:
• Level 1 - Security Level 1 provides the lowest level of security. Basic security requirements are
specified for a cryptographic module (e.g., at least one Approved algorithm or Approved security
function shall be used). No specific physical security mechanisms are required in a Security Level 1
cryptographic module beyond the basic requirement for production-grade components. An example
of a Security Level 1 cryptographic module is a personal computer (PC) encryption board.
• Level 2 - Security Level 2 enhances the physical security mechanisms of a Security Level 1
cryptographic module by adding the requirement for tamper-evidence, which includes the use of
tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the
module. Tamper-evident coatings or seals are placed on a cryptographic module so that the coating
or seal must be broken to attain physical access to the plaintext cryptographic keys and critical
security parameters (CSPs) within the module. Tamper-evident seals or pick-resistant locks are
placed on covers or doors to protect against unauthorized physical access.
• Level 3 - In addition to the tamper-evident physical security mechanisms required at Security Level
2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the
cryptographic module. Physical security mechanisms required at Security Level 3 are intended
to have a high probability of detecting and responding to attempts at physical access, use or
modification of the cryptographic module. The physical security mechanisms may include the use of
strong enclosures and tamper detection/response circuitry that zeroizes all plaintext CSPs when the
removable covers/doors of the cryptographic module are opened.
• Level 4 - Security Level 4 provides the highest level of security defined in this standard. At this
security level, the physical security mechanisms provide a complete envelope of protection around
the cryptographic module with the intent of detecting and responding to all unauthorized attempts
at physical access. Penetration of the cryptographic module enclosure from any direction has
a very high probability of being detected, resulting in the immediate zeroization of all plaintext
CSPs. Security Level 4 cryptographic modules are useful for operation in physically unprotected
environments.
Refer to the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for
further details on these levels and the other specifications of the FIPS standard.