FIPS 140-2

[4] FIPS 140-2 testing was still available until September 21, 2021 (later changed for applications already in progress to April 1, 2022[5]), creating an overlapping transition period of more than one year.

The standard provides four increasing qualitative levels of security intended to cover a wide range of potential applications and environments.

The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened.

Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate deletion of all plaintext CSPs.

Intentional excursions beyond the normal operating ranges may be used by an attacker to thwart a cryptographic module's defenses.

The FIPS 140-2 standard is an information technology security approval program for cryptographic modules produced by private sector vendors who seek to have their products certified for use in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

Security requirements cover 11 areas related to the design and implementation of a cryptographic module.

Within most areas, a cryptographic module receives a security level rating (1–4, from lowest to highest), depending on what requirements are met.

NIST maintains validation lists[12] for all of its cryptographic standards testing programs (past and present).

By contrast, companies that had renamed and certified a copy of the open-source OpenSSL derivative were not decertified, even though they were basically identical, and did not fix the vulnerability.

Rngtest result of a randomness test using FIPS 140-2
Flowchart of the validation process for FIPS 140-2