NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
NIST FIPS 140-2
Federal Information Processing Standards Publication 140 2
on Wednesday 15 November 2006 print the content item {PDF=create pdf file of the content item^plugin:content.48}
in NIST.gov Publications > Federal Information Processing Standards (FIPS)

This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The standard provides four increasing, qualitative levels of security. The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards.

Download the complete NIST FIPS 140-2.

Please use the NIST.org Forum to ask questions or discuss this document.

The below NIST FIPS 140-2 description is from NIST.gov, edited.

Description:

This standard specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.

FIPS 140-1 was developed by a government and industry working group composed of both operators and vendors. The working group identified requirements for four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data) and a diversity of application environments (e.g., a guarded facility, an office, and a completely unprotected location). Four security levels are specified for each of 11 requirement areas. Each security level offers an increase in security over the preceding level. These four increasing levels of security allow cost-effective solutions that are appropriate for different degrees of data sensitivity and different application environments. FIPS 140-2 incorporates changes in applicable standards and technology since the development of FIPS 140-1 as well as changes that are based on comments received from the vendor, laboratory, and user communities.

While the security requirements specified in this standard are intended to maintain the security provided by a cryptographic module, conformance to this standard is not sufficient to ensure that a particular module is secure. The operator of a cryptographic module is responsible for ensuring that the security provided by the module is sufficient and acceptable to the owner of the information that is being protected, and that any residual risk is acknowledged and accepted.

Similarly, the use of a validated cryptographic module in a computer or telecommunications system is not sufficient to ensure the security of the overall system. The overall security level of a cryptographic module must be chosen to provide a level of security appropriate for the security requirements of the application and environment in which the module is to be utilized and for the security services that the module is to provide. The responsible authority in each organization should ensure that their computer and telecommunication systems that utilize cryptographic modules provide an acceptable level of security for the given application and environment.

The importance of security awareness and of making information security a management priority should be communicated to all users. Since information security requirements vary for different applications, organizations should identify their information resources and determine the sensitivity to and the potential impact of losses. Controls should be based on the potential risks and should be selected from available controls, including administrative policies and procedures, physical and environmental controls, information and data controls, software development and acquisition controls, and backup and contingency planning.

The FIPS 140-2 document was created by the National Institute of Standards and Technology and is public domain (not subject to copyright).


FIPS PUB # 140-2


Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-1999-0098 (appleshare, mercury_mail_server, slmail)
Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.
»CVE-1999-0725 (internet_information_server)
When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker ...
»CVE-1999-1015 (appleshare_mail_server)
Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attac ...
»CVE-2000-1090 (internet_information_server)
Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for pars ...
»CVE-2001-0198 (quicktime)
Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbit ...
»CVE-2001-0240 (word)
Microsoft Word before Word 2002 allows attackers to automatically execute macros without warning the ...
»CVE-2002-1143 (excel, word)
Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field cod ...
»CVE-2002-2132 (windows_2000, windows_xp)
Windows File Protection (WFP) in Windows 2000 and XP does not remove old security catalog .CAT files ...
»CVE-2003-0122 (lotus_domino, lotus_notes_client)
Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote ...
»CVE-2003-0123 (lotus_domino, lotus_notes_client)
Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 through R6 allows remote malicio ...
»CVE-2003-0664 (word, works)
Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, w ...
»CVE-2006-1540 (office)
MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers t ...
»CVE-2006-3647 (office)
Integer overflow in Microsoft Word 2000, 2002, 2003, 2004 for Mac, and v.X for Mac allows remote use ...
»CVE-2006-5331 (linux_kernel)
The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before ...
»CVE-2007-1765 (definity_one_media_server, ie, ip600_media_servers, s3400, s8100, windows_2000, windows_2003_server, windows_vista, windows_xp)
Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to exe ...


Date published: 2017-11-22T19:00:10Z
Details

»Intel Firmware Vulnerability
Original release date: November 21, 2017 Intel has released recommendations to address vulner ...
»Symantec Releases Security Update
Original release date: November 21, 2017 Symantec has released an update to address a vulnera ...
»Windows ASLR Vulnerability
Original release date: November 20, 2017 The CERT Coordination Center (CERT/CC) has released ...
»Holiday Scams and Malware Campaigns
Original release date: November 16, 2017 | Last revised: November 17, 2017 US-CERT reminds us ...
»Oracle Releases Security Alert
Original release date: November 16, 2017 Oracle has released a security alert to address mult ...
»Cisco Releases Security Update
Original release date: November 15, 2017 Cisco has released a security update to address a vu ...
»Mozilla Releases Security Updates
Original release date: November 14, 2017 Mozilla has released security updates to address mul ...
»Microsoft Releases November 2017 Security Updates
Original release date: November 14, 2017 Microsoft has released updates to address vulnerabil ...
»Adobe Releases Security Updates
Original release date: November 14, 2017 Adobe has released security updates to address vulne ...
»Microsoft Releases Security Advisory on Dynamic Data Exchange (DDE)
Original release date: November 09, 2017 Microsoft has released an advisory that provides gui ...


Date published: not known
Details

»VB2017 paper: Beyond lexical and PDNS: using signals on graphs to uncover online threats at scale
At VB2017 in Madrid, Cisco Umbrella (OpenDNS) researchers Dhia Mahj ...
»Firefox 59 to make it a lot harder to use data URIs in phishing attacks
Firefox developer Mozilla has announced that, as of version 59 of t ...
»Standalone product test: FireEye Endpoint
Virus Bulletin ran a standalone test on FireEye's Endpoint Security ...
»VB2017 video: Consequences of bad security in health care
Jelena Milosevic, a nurse with a passion for IT security, is unique ...
»Vulnerabilities play only a tiny role in the security risks that come with mobile phones
Both bad news (all devices were pwnd) and good news (pwning is incr ...
»VB2017 paper: The (testing) world turned upside down
At VB2017 in Madrid, industry veteran and ESET Senior Research Fell ...
»VB2017 video: Turning Trickbot: decoding an encrypted command-and-control channel
Trickbot, a banking trojan which appeared this year, seems to be a ...
»Paper: FAME - Friendly Malware Analysis Framework
Today, we publish a short paper in which CERT Société Générale pres ...
»Ebury and Mayhem server malware families still active
Ebury and Mayhem, two families of Linux server malware, about which ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Intel Firmware Vulnerability
[21 Nov 2017 09:02am]

» Symantec Releases Security Update
[21 Nov 2017 05:40am]

» Windows ASLR Vulnerability
[20 Nov 2017 08:57am]

» Holiday Scams and Malware Campaigns
[16 Nov 2017 06:41pm]

» Oracle Releases Security Alert
[16 Nov 2017 02:39pm]

» Cisco Releases Security Update
[15 Nov 2017 10:24am]

» Mozilla Releases Security Updates
[14 Nov 2017 01:36pm]

» Microsoft Releases November 2017 Security Updates
[14 Nov 2017 11:50am]

» Adobe Releases Security Updates
[14 Nov 2017 10:41am]

» Microsoft Releases Security Advisory on Dynamic Data Exchange (DDE)
[09 Nov 2017 01:19pm]

***
US-CERT Alerts

» TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
[14 Nov 2017 12:00pm]

» TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
[14 Nov 2017 11:09am]

» TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
[20 Oct 2017 04:50pm]

» TA17-181A: Petya Ransomware
[30 Jun 2017 11:41pm]

» TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
[13 Jun 2017 09:45am]

» TA17-163A: CrashOverride Malware
[12 Jun 2017 03:44pm]

» TA17-156A: Reducing the Risk of SNMP Abuse
[05 Jun 2017 06:11pm]

» TA17-132A: Indicators Associated With WannaCry Ransomware
[12 May 2017 07:36pm]

» TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
[27 Apr 2017 04:50pm]

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

***
Computerworld Security

» The best mobile threat defense is mobile threat detection
[22 Nov 2017 04:34am]

» Symphony targets collaboration users outside financial services
[20 Nov 2017 12:03pm]

» Matrix Banker malware spreads to multiple industries | Salted Hash Ep 7
[20 Nov 2017 07:00am]

» Strong and stable: The iOS security guide
[17 Nov 2017 09:36am]

» Patch alert: Microsoft acknowledges printer bug; forced 1709 upgrades continue
[17 Nov 2017 07:06am]

» Microsoft forces Win10 1703 customers onto 1709, and other Patch Tuesday shenanigans
[15 Nov 2017 11:52am]

» 11% off August Smart Lock Pro With Connect Bundle - Deal Alert
[15 Nov 2017 07:46am]

» Lock it down: The macOS security guide
[15 Nov 2017 07:11am]

» ‘Hey Siri, buy $100 Bitcoin for the burglar guy’
[14 Nov 2017 07:08am]

» Ransomware marketplaces and the future of malware | Salted Hash Ep 6
[13 Nov 2017 05:00am]

» The top 5 problems with blockchain
[10 Nov 2017 04:11am]

» Mingis on Tech: The iPhone X – best phone for business, or best phone ever?
[09 Nov 2017 03:15pm]

» Android security audit: An 11-step checklist
[09 Nov 2017 10:36am]

» 15% off APC 11-Outlet Surge Protector with USB Charging Ports and SurgeArrest - Deal Alert
[08 Nov 2017 06:35am]

» What is blockchain? The most disruptive tech in decades
[07 Nov 2017 06:06pm]

***
Microsoft Security Advisories

» 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - Version: 1.0
[08 Nov 2017 11:00am]

» 4038556 - Guidance for securing applications that host the WebBrowser Control - Version: 1.0
[08 Aug 2017 11:00am]

» 4033453 - Vulnerability in Azure AD Connect Could Allow Elevation of Privilege - Version: 1.0
[27 Jun 2017 11:00am]

» 4025685 - Guidance related to June 2017 security update release - Version: 1.0
[13 Jun 2017 11:00am]

» 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3
[12 May 2017 11:00am]

» 4022344 - Security Update for Microsoft Malware Protection Engine - Version: 1.2
[12 May 2017 11:00am]

» 4021279 - Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege - Version: 1.1
[10 May 2017 11:00am]

» 4010323 - Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 - Version: 1.0
[09 May 2017 11:00am]

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

***
Security Latest

» 'Vapor Wake' Explosive-Sniffing Dogs Help Protect the Thanksgiving Day Parade
[22 Nov 2017 09:05am]

» The US Global Engagement Center's Fight Against Russian Propaganda Has Barely Started
[22 Nov 2017 04:00am]

» Uber Hid 57-Million User Data Breach For Over a Year
[21 Nov 2017 05:56pm]

» Feds Indict Iranian for HBO Hack—But Extradition Isn't Likely
[21 Nov 2017 12:47pm]

» Artificial Intelligence Can Hunt Down Missile Sites in China Hundreds of Times Faster Than Humans
[21 Nov 2017 04:00am]

» Intel Management Engine Flaws Leave Millions of PCs Exposed
[20 Nov 2017 09:10pm]

» Stopping Robocalls Will Soon Be Easier Than Ever
[20 Nov 2017 02:27pm]

» The Pentagon Left Data Exposed in the Cloud
[18 Nov 2017 07:00am]

» Everything Attorney General Jeff Sessions Has Forgotten Under Oath
[17 Nov 2017 10:03am]

» Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera
[16 Nov 2017 05:00am]

» The Vulnerabilities Equities Process Still Has Issues Even After Added Transparency
[15 Nov 2017 05:33pm]

» OnePlus Phones Have an Unfortunate Backdoor Built In
[14 Nov 2017 02:57pm]

» How to Lock Down Your Facebook Privacy Settings
[14 Nov 2017 07:10am]

» Inside the Decades-Long Fight for Better Emergency Alerts
[14 Nov 2017 06:00am]

» Watch a 10-Year-Old Beat Apple's Face ID on His Mom's iPhone X
[14 Nov 2017 05:00am]

***
Network World Security

» Docs should help design medical IoT
[17 Nov 2017 05:04am]

» 11% off August Smart Lock Pro With Connect Bundle - Deal Alert
[15 Nov 2017 07:46am]

» Forrester predicts what’s next for IoT
[14 Nov 2017 08:17am]

» What to consider when deploying a next-generation firewall
[08 Nov 2017 11:51am]

» 7 free tools every network needs
[15 Aug 2017 01:52pm]

» Gravityscan, keeping WordPress sites safe
[24 May 2017 02:34pm]

» Network monitoring tools: Features users love and hate
[01 May 2017 04:51am]

» Book Review: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
[27 Apr 2017 12:45pm]

» Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
[10 Apr 2017 04:32am]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Matrix Banker malware spreads to multiple industries | Salted Hash Ep 7
[20 Nov 2017 07:00am]

» 11% off August Smart Lock Pro With Connect Bundle - Deal Alert
[15 Nov 2017 07:46am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}