The Federal Information Processing Standard (FIPS) was established in 1996 under the Information Technology Reform Act and the Computer Security Act and became the responsibility of the National Institute of Standards and Technology (NIST). NIST author and develop the respective FIPS standards and guidelines. FIPS 140-1, FIPS 140-2 and FIPS 140-3 standards were developed to be used by Federal organizations that utilize cryptographic-based security systems for the protection of sensitive but unclassified information. This information is protected utilizing a cryptographic module. FIPS 140-3 provides four increasing security levels (1 - 4) and accommodates various module types (e.g. hardware, software, etc.). It mandates requirements for the secure design and implementation of a cryptographic module covering the following domains:
- Cryptographic Module Specification
- Cryptographic Module Interfaces
- Roles, Services, and Authentication
- Software/Firmware Security
- Operational Environment
- Physical Security
- Non-Invasive Secuirity
- Sensitive Security Parameter Management
- Cryptographic Algorithm and Module Self-Testing
- Lifecycle Assurance
- Mitigation of other Attacks
The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to FIPS 140-3 and other cryptographic based standards. The CMVP is a collaboration between the United States and Canada. Products validated as conforming to FIPS 140-3 are accepted by the Federal agencies of both countries. Cryptographic modules are conformance tested by independent, accredited testing laboratories. Testing reports are submitted to the CMVP for validation and the issuance of a certification. The National Voluntary Laboratory Accreditation Program (NVLAP) accredits laboratories to perform cryptographic module conformance testing.
Penumbra Security is accredited under NVLAP (Laboratory Code 200983-0) for test methods for FIPS 140-2 Levels 1-4, Security Requirements for Cryptographic Modules, and for testing of Approved security functions.
Penumbra also offers evaluations to the ISO/IEC 19790 second edition 2012 08 15 Information technology – Security techniques – Security requirements for cryptographic modules.