Skip to main content

What is FIPS 140-3

Ian Butteriss
  • Updated

FIPS 140-3 Validated Cryptography

Cerberus FTP Server leverages an embedded FIPS 140-3-validated cryptographic module for all cryptographic operations and supports secure file transfer deployments that require FIPS 140-3 validated cryptography.

Cerberus FTP Server uses Certificate #4985, the OpenSSL 3.1.2 FIPS Provider Module, to meet federal cryptographic requirements with FIPS 140-3 validated cryptography up to 256-bit AES encryption over SSL/TLS and SSH. The OpenSSL 3.1.2 FIPS Provider is validated under the NIST Cryptographic Module Validation Program (CMVP) and is listed through March 10, 2030.

 

Cerberus uses this validated OpenSSL FIPS Provider module to support modern federal security requirements and to help organizations deploy secure managed file transfer solutions that require validated cryptography.

Understanding FIPS 140-3 Compliance

In 2019, NIST's Federal Information Processing Standard (FIPS) publication 140-3 established the current security standard for cryptographic modules used by the United States federal government in the collection, storage, transfer, sharing, and dissemination of sensitive information.

 

Most federal agencies and regulated industries that require validated cryptography rely on the FIPS 140-3 standard. Products sold to the federal government that use cryptographic modules often must use cryptography validated through the NIST/CSEC Cryptographic Module Validation Program (CMVP).

Identifying Organizations That Require FIPS-Compliant File Transfer

The following organizations are required to use FIPS-compliant cryptography by law, policy, contract, or procurement requirements:

  • United States federal and state government agencies that handle citizens' private information
  • The United States military and its vendors working with sensitive but unclassified data
  • Vendors, suppliers, and third parties selling cryptographic modules to the federal government or using these modules in support of their services

Industries that handle sensitive data and require high levels of privacy for regulatory or security reasons also often require the FIPS standard. These industries include:

  • Financial institutions
  • Information-processing vendors
  • Healthcare organizations subject to HIPAA regulations
  • Educational institutions
  • Utilities

Any organization can use the FIPS 140-3 standard to transfer files securely, safeguard business data, and protect critical information.

Meeting FIPS 140-3 Compliance Requirements

A FIPS 140-3 compliant solution must use cryptographic functions provided by a FIPS 140-3 validated module and ensure that the module operates in an approved FIPS mode.

Specifically, a FIPS-validated solution must meet the following requirements:

  • Use algorithms and hash functions approved under FIPS requirements
  • Be validated by the joint NIST/CSEC Cryptographic Module Validation Program (CMVP)

References

https://www.cerberusftp.com/features/transfer-security/fips-140-2-validation/

https://csrc.nist.gov/projects/cryptographic-module-validation-program

Related articles

Comments

0 comments

Article is closed for comments.