Skip to main content

What is FIPS 140-2/140-3?

Dana Anderson
  • Updated

The FIPS 140-2 standard is an information technology security accreditation program for cryptographic modules produced by private sector vendors who seek to have their products certified for use in U.S. government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive information.

FIPS 140-2 was first published in 2001 by the U.S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. NIST works to establish various standards that the U.S. military and various government agencies must abide by. Vendors, contractors, and any organization working with government or military must comply with FIPS as well.

What Types of Organizations Require FIPS?

Federal and state government agencies that deal with citizens’ private information are frequently required to abide by FIPS. Also, the military and its vendors must also comply to protect sensitive national-security information. Other examples typically include organizations that require high levels of privacy, including financial institutions, information-processing vendors, healthcare-related vendors, educational institutions, and utilities.

However, the FIPS standard is still relevant to companies that may not be required to comply with government encryption regulations. The FIPS standard is appropriate for just about any organization that wishes to transfer files securely, safeguard business data, and protect its most critical information.

What Does it mean to be FIPS 140-2 compliant?

A FIPS-validated solution must use cryptographic algorithms and hash functions approved by FIPS. Specifically, a FIPS-validated solution must:

  1. Use algorithms and hash functions approved by FIPS 140-2
  2. Be validated by the Cryptographic Module Validation Program (CMVP)

The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).

FIPS 140-2 Cryptography for Cerberus FTP Server

Cerberus FTP Server uses an embedded FIPS 140-2-validated cryptographic module (Certificate #3503 in using KeyPair FIPS Object Module for OpenSSL 1.0.x in Cerberus FTP Server releases 11.3.1 to Cerberus 12.10.1; Certificate #4282 using OpenSSL FIPS Provider for OpenSSL 3.0.x for Cerberus FTP Server 12.11.0 and above) for all cryptographic operations and meets federal cryptographic requirements with FIPS 140-2 validated cryptography up to 256-bit AES encryption over SSL and SSH.

 

FIPS 140-3

FIPS 140-3 is the current U.S. and Canadian standard for validating cryptographic modules — the hardware, software, or firmware that provides encryption and key management. The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive information.

FIPS 140-3 was initially published on March 22, 2019 by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, and it supersedes FIPS 140-2. FIPS 140-3 became effective September 22, 2019, with CMVP beginning to accept validation submissions under the new scheme in September 2020. As with its predecessor, NIST works to establish various standards that the U.S. military and various government agencies must abide by, and vendors, contractors, and any organization working with government or military must comply with FIPS as well.

What Does it Mean to be FIPS 140-3 Compliant?

A FIPS-validated solution must use cryptographic algorithms and hash functions approved by FIPS. Specifically, a FIPS 140-3-validated solution must:

  1. Use algorithms and hash functions approved by FIPS 140-3, including AES 128 or higher for block cipher encryption. Older algorithms such as TDEA and SKIPJACK may only be used for legacy decryption, and digital signatures must use security greater than or equal to 112 bits for any new signature generation.
  2. Be validated by the Cryptographic Module Validation Program (CMVP).

FIPS 140-3 Cryptography for Cerberus FTP Server

Cerberus version 2026.1 upgrades the Cerberus cryptographic module certification from FIPS 140-2 to the FIPS 140-3 standard, providing stricter algorithm restrictions and ensuring compliance with the most recent federal data protection requirements for handling sensitive information. FIPS mode is toggled in the Cerberus GUI or Web Administration under Server Manager > Security tab > General > Enable FIPS 140-3, and requires a restart of the Cerberus FTP Server Windows Service to take effect.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.