New standard set for security

FIPS 140-2 site

The Commerce Department has formally approved the new standard for the minimum level of cryptography in federal security products, replacing a standard that had been in effect for seven years.

With the approval June 27, security products used by agencies for sensitive, unclassified information must be certified under the National Institute of Standards and Technology's Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules.

The new FIPS 140-2 standard, which replaces the 140-1 standard from 1994, goes into effect Nov. 25.

FIPS 140-2 covers four increasing levels of security, to encompass a range of applications:

* Security Level 1 specifies basic security, such as a PC encryption board.

* Security Level 2 adds physical security to Level 1 products by requiring tamper-evident coatings or seals, or pick-resistant locks. It also requires role-based authentication of users and that operating systems meet the new Common Criteria Controlled Access Protection Profile.

* Security Level 3 strengthens physical security, requires identity-based authentication, and requires physical separation of data ports. There are also additional levels of Common Criteria requirements.

* Security Level 4 builds on all of the other requirements, as well as the ability to electronically erase information if the environmental conditions around the module change dramatically or if there are drastic fluctuations in the module's operating ranges.

NIST maintains a list of vendors and modules with FIPS 140-1 and 140-2 validation on its Web site.