FIPS 140-2

When engaging an electronic discovery vendor make sure that they provide an adequate level of data security for encrypted data transferred over a network, by checking to see if they are validated under FIPS 140-2. Federal Information Processing Standard 140-2 is a standard set up for the National Institute of Standards and Technology (NIST) on Security Requirements for Cryptographic Modules. The validation process involves evaluation by an independent laboratory and review of the lab's report by a joint U.S. / Canadian body named the Cryptographic Module Validation Program. Be sure to distinguish between vendors that claim to be FIPS 140-2 compliant and those which have FIPS 140-2 validation. A FIPS 140-2 compliant organization will merely be using a cryptographic module of another business which obtained FIPS 140-2 validation.

FIPS 140-2 validation involves a review in 11 different areas:

An organization will receive a grade from 1 to 4 in each of these areas and an overall score, with 4 indicating the highest level of security.

  • Cryptographic Module Specification

  • Cryptographic Module Ports and Interfaces

  • Roles, Services and Authentication

  • Finite State Model

  • Physical Security

  • Operational Environment

  • Cryptographic Key Management

  • Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)

  • Self Tests

  • Design Assurance

  • Mitigation of Other Attacks