nist-800-53-fedramp-fips-compliance-banner

FIPS 140-2 Certification

Thales helps you meet your needs for data security compliance with FIPS 140-2 certified products.

FIPS 140-2

Test

The Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS PUB 140-2), commonly referred as FIPS 140-2, is a US government computer security standard used to validate cryptographic modules. FIPS 140-2 was created by the NIST1 and, per the FISMA2, is mandatory for US and Canadian government procurements. Many global organizations are also mandated to meet this standard.

Thales delivers security products that have been tested and validated against the rigorous FIPS 140-2 standard, helping you comply with regulations while also giving you the confidence you need in your cryptographic tools.

1 https://www.nist.gov/
2 https://csrc.nist.gov/topics/laws-and-regulations/laws/fisma

  • Regulation
  • Compliance

FIPS 140-2 overview

According to FIPS Publication 140-2:

[It] provides a standard that will be used by Federal organizations when these organizations specify that cryptographic-based security systems are to be used to provide protection for sensitive or valuable data. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. This standard specifies the security requirements that will be satisfied by a cryptographic module.

… The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

Certification authorities

The US National Institute of Standards and Technology (NIST) and Canadian Communications Security Establishment (CSE) jointly participate as certification authorities in the Cryptographic Module Validation Program (CMVP) to provide validation of cryptographic modules to the FIPS 140-2 standard.

For more information, click here.

Thales support for FIPS 140-2 Security Standard

Thales develops cryptographic products and subsystems that conform to the FIPS 140-2 security standard. Thales products that meet the standard include:

Hardware security modules (HSMs)

Luna HSMs from Thales provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Available in three FIPS 140-2 certified form factors, Luna HSMs support a variety of deployment scenarios.

In addition, Luna HSMs:

  • Generate and protect root and certificate authority (CA) keys, providing support for PKIs across a variety of use cases
  • Sign your application code so you can ensure that your software remains secure, unaltered, and authentic
  • Create digital certificates for credentialing and authenticating proprietary electronic devices for IoT applications and other network deployments

The payShield family of HSMs are proven hardware security modules dedicated to the payment industry for issuing credentials, processing transactions, and managing keys.

Data at rest encryption – CipherTrust Data Security Platform

At the center of the CipherTrust Data Security Platform is the FIPS140-2 compliant CipherTrust Manager, which provides cryptographic-key and policy management for CipherTrust Transparent Encryption, CipherTrust Tokenization, and CipherTrust Application Data Protection. Delivered in virtual and physical appliance form factors, the CipherTrust Manager delivers key storage and protection for data at rest.

Related Resources

Secure your digital assets, comply with regulatory and industry standards, and protect your organization’s reputation. Learn how Thales can help.

Risk Management Strategies for Digital Processes - White Paper

Risk Management Strategies for Digital Processes with HSMs - White Paper

An Anchor of Trust in a Digital World Business and governmental entities recognize their growing exposure to, and the potential ramifications of, information incidents, such as: Failed regulatory audits Fines Litigation Breach notification costs Market set-backs Brand...

Transaction processing using payShield HSMs - Brochure

Transaction processing using payShield HSMs - Brochure

payShield from Thales is the world’s leading payment HSM, helping to secure an estimated 80% of global point of sale (POS) transactions. As the HSM of choice for payment solution providers and payment technology vendors, it delivers proven integration with all of the leading...

Thales Data Protection on Demand Services - Solution Brief

Thales Data Protection on Demand Services - Solution Brief

Thales Data Protection on Demand is a cloud-based platform that provides a wide range of Cloud HSM and key management services through a simple online marketplace. With Luna Cloud HSM and CipherTrust Key Management services on Data Protection on Demand (DPoD), security is made...

Choosing the Right Cloud HSM - Webinar

Choosing the Right Cloud HSM - Webinar

Join us as we discuss the complexities of managing native cloud HSMs separately, leading to islands of security with different features and rules for each.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.