top of page

FIPS 140-2


When engaging an electronic discovery vendor make sure that they provide an adequate level of data security for encrypted data transferred over a network, by checking to see if they are validated under FIPS 140-2. Federal Information Processing Standard 140-2 is a standard set up for the National Institute of Standards and Technology (NIST) on Security Requirements for Cryptographic Modules. The validation process involves evaluation by an independent laboratory and review of the lab's report by a joint U.S. / Canadian body named the Cryptographic Module Validation Program. Be sure to distinguish between vendors that claim to be FIPS 140-2 compliant and those which have FIPS 140-2 validation. A FIPS 140-2 compliant organization will merely be using a cryptographic module of another business which obtained FIPS 140-2 validation.

FIPS 140-2 validation involves a review in 11 different areas:


An organization will receive a grade from 1 to 4 in each of these areas and an overall score, with 4 indicating the highest level of security.

  • Cryptographic Module Specification

  • Cryptographic Module Ports and Interfaces

  • Roles, Services and Authentication

  • Finite State Model

  • Physical Security

  • Operational Environment

  • Cryptographic Key Management

  • Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)

  • Self Tests

  • Design Assurance

  • Mitigation of Other Attacks


Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page