Keeping sensitive data, such as Personally Identifiable Information (PII), secure in every stage of its life is an important task for any organization. To simplify this process, standards, regulations, and best practices were created to better protect data. The Federal Information Protection Standard, or FIPS, is one of these standards. These standards were created by the National Institute of Science and Technology (NIST) to protect government data, and ensure those working with the government comply with certain safety standards before they have access to data. FIPS has a number of standards released, but this article discusses FIPS 140-2.

What is FIPS 140-2?

FIPS 140-2 is a standard which handles cryptographic modules and the ones that organizations use to encrypt data-at-rest and data-in-motion. FIPS 140-2 has 4 levels of security, with level 1 being the least secure, and level 4 being the most secure:

  • FIPS 140-2 Level 1- Level 1 has the simplest requirements. It requires production-grade equipment, and atleast one tested encryption algorithm. This must be a working encryption algorithm, not one that has not been authorized for use.
  • FIPS 140-2 Level 2- Level 2 raises the bar slightly, requiring all of level 1’s requirements along with role-based authentication and tamper evident physical devices to be used. It should also be run on an Operating System that has been approved by Common Criteria at EAL2.
  • FIPS 140-2 Level 3- FIPS 140-2 level 3 is the level the majority of organizations comply with, as it is secure, but not made difficult to use because of that security. This level takes all of level 2’s requirements and adds tamper-resistant devices, a separation of the logical and physical interfaces that have “critical security parameters” enter or leave the system, and identity-based authentication. Private keys leaving or entering the system must also be encrypted before they can be moved to or from the system.
  • FIPS 140-2 Level 4- The most secure level of FIPS 140-2 uses the same requirements of level 3 and desires that the compliant device be able to be tamper-active and that the contents of the device be able to be erased if certain environmental attacks are detected. Another focus of FIPS 140-2 level 4 is that the Operating Systems being used by the cryptographic module must be more secure than earlier levels. If multiple users are using a system, the OS is held to an even higher standard.
Implement HSM with existing Infrastructure

Why is being FIPS 140-2 compliant important?

One of the many reasons to become FIPS compliant is due to the government’s requirement that any organization working with them must be FIPS 140-2 compliant. This requirement ensures government data handled by third-party organizations is stored and encrypted securely and with the proper levels of confidentiality, integrity, and authenticity. Companies desiring to create cryptographic modules, such as nCipher or Thales, must become FIPS compliant if they want the vast majority of companies to use their device, especially the government. Many organizations have developed the policy of becoming FIPS 140-2 compliant, as it makes their organization and services seem more secure and trusted.

Another reason to be FIPS compliant is the rigorous testing that has gone into verifying the strength behind the requirements of FIPS 140-2. The requirements for each level of FIPS 140-2 have been selected after a variety of tests for confidentiality, integrity, non-repudiation, and authenticity. As the government has some of the most sensitive information in the nation, devices, services, and other products used by them must be at the highest level of security at all times. Using services or software without these tested methods in place could lead to a massive breach in security, causing problems for every person in the nation.

Who needs to be FIPS compliant?

The main organizations that are required to be FIPS 140-2 compliant are federal government organizations that either collect, store, share, transfer, or disseminate sensitive data, such as Personally Identifiable Information. All federal agencies, their contractors, and service providers must all be compliant with FIPS as well. Additionally, any systems deployed in a federal environment must also be FIPS 140-2 compliant. This includes the encryption systems utilized by Cloud Service Providers (CSPs), computer solutions, software, and other related systems. This means only those services, devices, and software that are FIPS compliant can even be considered for use by the federal government, which is one of the reasons so many technology companies want to ensure they are FIPS 140-2 compliant.

FIPS compliance is also recognized around the world as one of the best ways to ensure cryptographic modules are secure. Many organizations follow FIPS to ensure their own security is up to par with the government’s security. Many other organizations become FIPS 140-2 compliant to distribute their products and services in not only the United States, but also internationally. As FIPS is recognized around the world, any organization that possesses FIPS compliance will be seen as a trusted provider of services, products, and software. Some fields, such as manufacturing, healthcare, and financial sectors, along with local governments require FIPS 140-2 compliance as well.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Table of Contents

Cryptography is the study of securing communications from outside observers. Encryption algorithms take the original message, or plaintext, and converts it into ciphertext, which is not understandable. The key allows the user to decrypt the message, thus ensuring on they can read the message. The strength of the randomness of an encryption is also studied, which makes it harder for anyone to guess the key or input of the algorithm. Cryptography is how we can achieve more secure and robust connections to elevate our privacy. Advancements in cryptography makes it harder to break encryptions so that encrypted files, folders, or network connections are only accessible to authorized users.

Cryptography focuses on four different objectives:

  1. Confidentiality

    Confidentiality ensures that only the intended recipient can decrypt the message and read its contents.

  2. Non-repudiation

    Non-repudiation means the sender of the message cannot backtrack in the future and deny their reasons for sending or creating the message.

  3. Integrity

    Integrity focuses on the ability to be certain that the information contained within the message cannot be modified while in storage or transit.

  4. Authenticity

    Authenticity ensures the sender and recipient can verify each other’s identities and the destination of the message.

These objectives help ensure a secure and authentic transfer of information.

History of Cryptography

Cryptography began with ciphers, the first of which was the Caesar Cipher. Ciphers were a lot easier to unravel compared to modern cryptographic algorithms, but they both used keys and plaintext. Though simple, ciphers from the past were the earliest forms of encryption. Today’s algorithms and cryptosystems are much more advanced. They use multiple rounds of ciphers and encrypting the ciphertext of messages to ensure the most secure transit and storage of data. There are also methods of cryptography used now that are irreversible, maintaining the security of the message forever.

The reason for more advanced cryptography methods is due to the need for data to be protected more and more securely. Most of the ciphers and algorithms used in the early days of cryptography have been deciphered, making them useless for data protection. Today’s algorithms can be deciphered, but it would require years and sometimes decades to decipher the meaning of just one message. Thus, the race to create newer and more advanced cryptography techniques continues.

Secure your data through Encryption Assessment

Types of Cryptography

Cryptography can be broken down into three different types:

  • Secret Key Cryptography
  • Public Key Cryptography
  • Hash Functions

Secret Key Cryptography, or symmetric cryptography, uses a single key to encrypt data. Both encryption and decryption in symmetric cryptography use the same key, making this the easiest form of cryptography. The cryptographic algorithm utilizes the key in a cipher to encrypt the data, and when the data must be accessed again, a person entrusted with the secret key can decrypt the data. Secret Key Cryptography can be used on both in-transit and at-rest data, but is commonly only used on at-rest data, as sending the secret to the recipient of the message can lead to compromise.


  • AES
  • DES
  • Caesar Cipher

Public Key Cryptography, or asymmetric cryptography, uses two keys to encrypt data. One is used for encryption, while the other key can decrypts the message. Unlike symmetric cryptography, if one key is used to encrypt, that same key cannot decrypt the message, rather the other key shall be used.

One key is kept private, and is called the “private key”, while the other is shared publicly and can be used by anyone, hence it is known as the “public key”. The mathematical relation of the keys is such that the private key cannot be derived from the public key, but the public key can be derived from the private. The private key should not be distributed and should remain with the owner only. The public key can be given to any other entity.


  • ECC
  • Diffie-Hellman
  • DSS

Hash functions are irreversible, one-way functions which protect the data, at the cost of not being able to recover the original message. Hashing is a way to transform a given string into a fixed length string. A good hashing algorithm will produce unique outputs for each input given. The only way to crack a hash is by trying every input possible, until you get the exact same hash. A hash can be used for hashing data (such as passwords) and in certificates.

Some of the most famous hashing algorithms are:

  • MD5
  • SHA-1
  • SHA-2 family which includes SHA-224, SHA-256, SHA-384, and SHA-512
  • SHA-3
  • Whirlpool
  • Blake 2
  • Blake 3

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Let's talk