By Nadia ElKaissi, CHTM
Picture this: During a procurement review, a vendor states that their product is “FIPS compliant.” When asked for details, they are unable to immediately provide a certificate number or clarify whether the cryptographic module is validated under FIPS 140-2 or FIPS 140-3. This is often the moment when teams realize why understanding FIPS matters before moving forward.
If you are new to cybersecurity, have no fear! You do not need to understand cryptography in order to understand FIPS. FIPS exists so organizations do not have to rely on guesswork or deep technical expertise to trust that encryption is being implemented safely.
FIPS stands for Federal Information Processing Standards. These standards are developed by the National Institute of Standards and Technology (NIST), a U.S. government standard organization. FIPS provides guidance on how sensitive information, especially data used by the federal government, must be protected. While there are multiple FIPS standards, one of the most referenced in cybersecurity, is FIPS 140, which focuses specifically on encryption.
WHY FIPS MATTERS
Encryption is a foundational security control. If it is implemented incorrectly, other security measures may not matter. FIPS validation helps ensure that only approved and well-tested cryptographic methods are used and that encryption keys are generated, stored and handled securely. For U.S. federal agencies, FIPS compliance is mandatory. For healthcare organizations, financial services, cloud providers, and government contractors, FIPS is often required by contracts, audits, or regulatory expectations. In practice, FIPS serves as a trusted baseline for cryptographic security.
WHAT FIPS 140 COVERS
FIPS 140 focuses on cryptographic modules, which are the parts of software or hardware responsible for performing encryption-related functions. Encryption is the process of turning readable data into unreadable data unless the correct key is used. These cryptographic modules handle tasks such as: encrypting and decrypting data; creating and protecting encryption keys; authenticating data; detecting and responding to cryptographic failures. It is important to note that FIPS 140 does not evaluate the entire product. Instead, it ensures that the encryption component itself meets well-defined security requirements.
DIFFERENCES BETWEEN FIPS 140-2 AND FIPS 140-3
There are two versions of FIPS 140 that are commonly referenced today, FIPS 140-2 and FIPS 140-3. FIPS 140-2 was published in 2001 and became widely deployed and established. It is still present in many existing environments, but it is no longer approved for new validations. FIPS 140-3, published in 2019, is based on modern international security standards and is better suited for today’s technologies, including cloud and virtualized environments. New FIPS 140-2 validation ended in 2021. While existing FIPS 140-2 validated modules may remain in use until their certificates expire, FIPS 140-3 is the standard moving forward.
WHEN SHOULD FIPS 140-3 BE REQUIRED?
As a general rule, FIPS 140-3 should be required for new investments to include: new hardware or software procurements; cloud-based or virtualized systems; systems expected to remain in service for many years; and environments that may support government or regulated data in the future. Requiring the current standard helps avoid compliance and life cycle challenges later. FIPS 140-2 may still be acceptable in limited situations such as if it supports legacy environments or it is maintaining existing or previously approved systems. In these cases, organizations should treat FIPS 140-2 as a transitional solution and ensure there is a document plan to move toward FIPS 140-3.
TIPS WHEN EVALUATING FIPS CLAIMS
If you are new to FIPS, vendor FIPS claims can be confusing. The tips below can help cut through marketing language and focus on verifiable facts.
1. Always ask for proof
Request the NIST CMVP certificate and verify that the certificate is in the NIST CMVP database. While brochures or marketing materials may reference FIPS, they should never replace independent verification.
2. “Compliant” is not the same as “Validated”
The term “FIPS compliant” is not the same as “FIPS validated.” FIPS validation means the cryptographic module has been tested and approved by NIST. Only validated modules meet FIPS requirements.
3. Confirm What is Actually Validated
Vendors may claim their product is FIPS validated, but it’s important to identify which cryptographic module is validated. Ensure the specific module in use – not just the product name – has validation. Request an SBOM or vendor attestation confirming the validated module is in use.
4. Check Certificate Status
Even if a certificate exists, verify its current status. Some FIPS 140-2 certificates are now listed as “historical.” Historical certificates are typically acceptable only for existing deployments and are not appropriate for new procurements.
5. Require a Transition plan
If you are purchasing a product that currently relies on FIPS 140-2, consider future requirements. Request a roadmap for FIPS 140-3 validation, including expected timelines, and discuss plans for upgrades or recertification.
Now let’s recap. FIPS validation ensures encryption is implemented correctly and independently tested. FIPS 140-3 is the current and future standard, while FIPS 140-2 remains acceptable only in limited transition scenarios. Procurement decisions should be based on validation status, not marketing language. In short, FIPS enables organizations to trust encryption without needing to be cryptography experts – as long as the validation is real and current.
