LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is FIPS 140, and what do its four levels mean?

FIPS 140 = Federal Information Processing Standard, the US NIST publication that certifies cryptographic hardware/software modules. Levels 1–4 escalate from basic algorithm correctness to physical tamper-resistance.

Four-rung ladder from Level 1 (approved algorithm) up through Level 2 (tamper-evidence), Level 3 (tamper-resistance), to Level 4 (tamper-resistance in hostile environments)

* FIPS 140's tamper-resistance ladder: each level adds physical protection, from just using approved crypto (L1) to surviving environmental attack (L4). *

Level What it certifies
Level 1 A reviewed algorithm or "bestätigte Sicherheitsfunktion" is used (e.g., AES, not home-grown crypto)
Level 2 Adds basic tamper-detection (e.g., evidence stickers, locks)
Level 3 Tamper-resistance: the module withstands physical attack to keep keys safe
Level 4 Tamper-resistance even in hostile environments (extreme temperature, voltage attacks, EMI) — used for unattended high-value devices

FIPS 140-2 and 140-3 are the current revisions (140-3 was published 2019 and aligns with ISO/IEC 19790).

Why this matters: US federal agencies are legally required to use FIPS-validated crypto. Companies selling into US government must therefore source FIPS-validated modules (e.g., FIPS-validated OpenSSL, smart cards, HSMs). The validation list is at csrc.nist.gov/projects/cryptographic-module-validation-program.

Tip: "FIPS-compliant" ≠ "FIPS-validated." A product can use FIPS-approved algorithms (compliant) without ever submitting a module for the lab evaluation (validated). Validation costs €100k+ and takes 12–24 months — only the validated ones can be sold to US federal customers.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026