FIPS 140-2 Compliance

FIPS 140-2 Compliant Encryption

How does SecureZIP help meet FIPS 140-2 compliance standards?

PKWARE’s Solution fully addresses the standards outlined in FIPS 140-2 by strongly ENCRYPTING THE DATA ITSELF rather than the storage device.

 

Keeps Data Secure:

  • In Movement or Storage
  • At its Origin or Destination

 

Data remains protected even if placed on removable media that is lost or stolen during transit.

The PKWARE Solution offers government agencies the ability to use validated cryptographic modules for protecting data when run in FIPS mode:

FIPS Validation Cert # FIPS Level
Windows 2000 103 140-1*
Windows XP 238 140-1*
Windows XP w/SP3 989 140-2
Windows Vista 893/1002 140-2
Windows 7 1330 140-2
Windows 8 1894 140-2
Windows Server 2003 382/1012 140-2
Windows Server 2008 1010 140-2
Windows Server 2008 R2 1337 140-2
Windows Server 2012 1894 140-2
UNIX/Linux 918/1747 140-2
Java JRE 6 1502 140-2
Android (coming) 1502 140-2
iOS 6 1963 140-2
iOS 7 2020 140-2
OS X 1964/2015 140-2
Z900, z800 118 140-1*
Z990, z890 524 140-2
Z990, z890, Z9EC, z9BC, z10EC, z10BC 661 140-2
Z990, z890, Z9EC, z9BC, z10EC,
z10BC, z196, z114, zEC12, zBC12
1505 140-2

*click here to view NIST's position on FIPS 140-1

PKWARE helps meet FIPS 140-2 compliance standards:

FIPS 140-2 requires all federal government agencies and departments that use cryptographic-based security systems to protect sensitive information to comply with the standards. Or, if you are an organization that does business with a government agency or department that requires the exchange of sensitive information, you also need to ensure you meet the FIPS 140-2 security standards. Additionally, FIPS 140-2 is becoming a general best practice outside of the government sector and outside of the United States.

Customer Success Story: FIPS 140-2 Compliant Encryption Case Study

The Centers for Medicare & Medicaid Services (CMS) is using SecureZIP PartnerLink not only to meet FIPS 140-2 standards, but also to securely exchange sensitive information with hundreds of external partners, including other federal/state/local government agencies, research labs, universities, and large corporations. To learn more about how CMS is leveraging SecureZIP PartnerLink, please download the CMS Case Study.

In addition to meeting the security standards outlined in FIPS 140-2, SecureZIP helps solve several other data security issues that government agencies are facing. To learn more about how SecureZIP can help solve specific government data security issues and to access case studies and other resources, click here.

What is FIPS 140-2?

FIPS 140-2 is the current version of the Federal Information Processing Standardization 140 (FIPS 140) publication that specifies requirements for cryptography modules. The National Institute of Standards and Technology (NIST) issued the FIPS 140 series to uphold the standards that describe the United States Federal Government requirements that IT products should meet.

Read more about FIPS 140 by downloading the document found here: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

 

*The NIST has announced FIPS 140 algorithm changes that will go into effect by year end 2010. PKWARE will continue to support FIPS 140 compliance needs with our latest version releases. Please contact PKWARE with questions regarding these changes

 

FIPS 140-1

FIPS 140-1 validated products can be used to meet FIPS compliance requirements. The status of FIPS 140-1 is documented as follows by the NIST:

FIPS 140-1 became a mandatory standard for the protection of sensitive data when the Secretary of Commerce signed the standard on January 11, 1994. FIPS 140-2 supercedes FIPS 140-1 and the standard was signed on May 25, 2001. The Implementation Schedule statement from FIPS 140-2 (page v):

14. Implementation Schedule. This standard (FIPS 140-2) becomes effective six months after approval by the Secretary of Commerce. A transition period from November 25, 2001 until six months after the effective date is provided to enable all agencies to develop plans for the acquisition of products that are compliant with FIPS 140-2. Agencies may retain and use FIPS 140-1 validated products that have been purchased before the end of the transition period. After the transition period, modules will no longer be tested against the FIPS 140-1 requirements. After the transition period, all previous validations against FIPS 140-1 will still be recognized.

The CMVP posted a clarification to the implemenation schedule on February 04, 2002 which was posted in the CMVP FAQ Section 1 Overview:

FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1. However, agencies may continue to purchase, retain and use FIPS 140-1 validated modules after May 25, 2002. Modules validated as conforming to FIPS 140-1 and FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information. However, a federal agency may choose to only procure a FIPS 140-2 validated module.

More information on this topic is available directly from the NIST at http://csrc.nist.gov/groups/STM/cmvp/index.html#04.