Federal Information Processing Standard (FIPS) 140

Overview

The Cryptographic Module Validation Program (CMVP) was established by the National Institute of Standards and Technology (NIST) in the United States (US) and the Canadian Centre for Cyber Security (CCCS) of the Government of Canada in July 1995 to oversee testing results of Cryptographic Modules by accredited third party laboratories. NIST published the first Cryptographic standard called Federal Information Processing Standard FIPS 140-1 in 1994. The FIPS 140 standard is reviewed regularly: “New or revised requirements may be needed to meet technological and economic changes. This standard will be reviewed at least every five years in order to consider necessary updates or replacement." (PDF)

FIPS 140-3 (PDF) was announced in March 2019. It was then made available for testing in September, 2020 and mandated for testing on April 1, 2022. FIPS 140-3 maps to the International Standard Organization ISO/IEC 19790:2012 and ISO 24759 Information Technology – Security Techniques – Test Requirements for Cryptographic Modules. Customers can continue to make use of FIPS 140-2 validated modules, if they remain active on the NIST web site, until replacement FIPS 140-3 modules become available. Modules validated as conforming to FIPS 140-2 and active on the NIST web site continue to be accepted by the US and Canadian Governments for the protection of unclassified but sensitive information until September 21, 2026. After this date, only FIPS 140-3 validated modules will be allowed.

As a pre-requisite to performing CMVP validations, Cryptographic Algorithm Validation Program (CAVP) conformance testing is required to validate FIPS-approved and NIST-recommended cryptographic algorithms.

FIPS 140 specifies security requirements for Cryptographic Modules that encrypt and decrypt data, securely generate cryptographic keys, perform hashing, execute secure key transport and key agreement, and generate or verify digital signatures all using NIST Approved Standards. FIPS 140 validation is mandatory for vendors selling cryptography into the US and Canadian governments. Government agencies consider data that is not protected by FIPS-validated cryptography to be unprotected plaintext. FedRAMP-authorized cloud solutions require that any cryptographic mechanisms deployed in these solutions be FIPS 140 certified.

Validations

Since 1999, the number of validations performed by Oracle against the FIPS 140 standard has increased continuously. Oracle’s validation approach includes a combination of FIPS 140 validated open source cryptographic libraries and proprietary 3rd party cryptographic modules.

Within the Cryptographic Module Validation Program (CMVP) there are three main phases which are represented by lists on the CMVP website: Implementation Under Test (IUT), Modules in Process (MIP) and Validated Modules.

The IUT list includes modules where the vendor is under contract with an accredited laboratory to perform the validation testing, but nothing has been submitted to the CMVP. Vendors have 18 months to complete testing or be removed from the IUT list.

The Modules in Process List includes modules where laboratories submitted testing results to the CMVP, and the validation process is in one of these phases:

  • Review pending—testing has completed at the laboratory and the report has been submitted to the CMVP
  • In review—the submission has been assigned and is being reviewed by a CMVP reviewer
  • Coordination—an iterative phase where the CMVP reviewer submits report comments back to the laboratory who responds to them with input from the vendor. This phase continues until the CMVP reviewer has closed off all the comments
  • Finalization—the CMVP accepts the validation test report and a certificate number is assigned

The Validated Modules list includes modules that completed certification against the FIPS 140 standard. Modules are considered active for five years from their validation date. After five years, the module will automatically be marked as historical (meaning government agencies cannot procure it), however if the module continues to meet the current FIPS 140-3 standard requirements after the five years, the module can apply to be re-instated.

For a list of Oracle’s cryptographic module validations and status please see here.

For additional information on Oracle’s FIPS 140 status and participation, please email seceval_us@oracle.com.