Archive for the ‘Regulatory Issues’ Category
FIPS 140-3: What Embedded Vendors Need to Know About the New NSA and NIST Mandated Communication Security Standard
FIPS 140 (acronym for “Federal Information Processing Standard number 140”) is a US government standard, established by the National Institute of Standards and Technology (NIST), which specifies a series of requirements that must be met by an encryption module before it can be used in a Federal government system. These requirements cover a range of subjects, from proper key management, to secure generation of random numbers, and from which encryption algorithms may be used, to module self-tests and error detection.
Put more simply, if a product performs encryption, the portion of that product which actually implements the encryption is the focus of FIPS 140. FIPS 140 is of interest to the embedded systems industry for several reasons:
First, under Section 5-131 of the Information Technology Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235), FIPS from NIST may be approved by the Secretary of Commerce and made binding to all Federal agencies. FIPS 140 has been granted such approval, and therefore all Federal agencies are required to use FIPS 140-certified encryption to protect all sensitive information processed by all data processing systems, from embedded systems to mainframes.
This means that vendors cannot sell systems which use encryption to any Federal agency unless that system incorporates FIPS 140-certified encryption.