Federal Information Processing Standard (FIPS)
FIPS 140-2 is a standard first published in 2001 by the U. S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U. S. Department of Commerce. NIST works to establish various standards that the U.S. military and various government agencies must abide by. FIPS 140-2 is has equal weight in both the US and Canada, with the Canadian Communications Security Establishment (CSE) being involved as well. Vendors, contractors, and any organization working with government or military must comply with FIPS as well.
Many solutions claim to be “FIPS compliant.” This phrase is simply a claim that the solution aligns with FIPS requirements. However, to truly comply with FIPS, a solution needs to be FIPS validated. FIPS validation involves submitting detailed documentation and source code to NIST (US) and CSE (Canada) testing laboratories – a process that takes six to nine months on average. Consequently, creating FIPS-validated solutions not only involves using approved algorithms, but also providing software that is well documented, well engineered, and is easily testable.
This whitepaper briefly describes the FIPS encryption standards as well as Ipswitch’s solution, first implemented in Ipswitch’s MOVEit products in 2003.