NIST updates FIPS security standard

NIST updates FIPS security standard

By Shruti Dat'

GCN Staff

FEB. 3'The National Institute of Standards and Technology recently issued a draft revision of the government's systems security and encryption validation standard that streamlines the standard and addresses new technological threats.

"The standard has not changed in focus or emphasis," said Ray Snouffer, program manager for NIST's Cryptographic Module Validation Program (CMVP). "We've removed the redundant areas and clarified the language."

The Federal Information Processing Standard 140-1 includes 11 areas of security requirements and four levels of security. It mandates that federal agencies use FIPS-compliant cryptography modules to protect sensitive but unclassified information in government systems. NIST reviews the standard at five-year intervals.

The revised standard, FIPS 140-2, carries over the information from its predecessor and expands on it but has not changed the physical security requirements. FIPS 140-1 has overlapping information about physical security requirements, said Annabelle Lee, CMVP deputy director.

FIPS 140-2 also specifies that operating systems must comply with the specifications in the Common Criteria. Previously, NIST required that OSes meet the standards detailed in the National Security Agency's Trusted Computer Security Evaluation Criteria, or the Orange Book.

CMVP also has added a section about hacking and how to mitigate computer attacks. FIPS 140-2 includes a beefed-up self-test section for agencies to use when they change their cryptography.

Commerce Secretary William Daley is expected to approve the standard this summer, and FIPS 140-2 would take effect six months later. NIST would give agencies an additional six-month transition period.

NIST will accept comments on the proposal until Feb. 15; they can be sent via e-mail to

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.