Home page logo

isn logo Information Security News mailing list archives

New standard set for security
From: William Knowles <wk () c4i org>
Date: Thu, 28 Jun 2001 14:12:52 -0500 (CDT)


BY Diane Frank 
June 28, 2001 

The Commerce Department has formally approved the new standard for the
minimum level of cryptography in federal security products, replacing
a standard that had been in effect for seven years.

With the approval June 27, security products used by agencies for
sensitive, unclassified information must be certified under the
National Institute of Standards and Technologys Federal Information
Processing Standard (FIPS) 140-2, Security Requirements for
Cryptographic Modules.

The new FIPS 140-2 standard, which replaces the 140-1 standard from
1994, goes into effect Nov. 25.

FIPS 140-2 covers four increasing levels of security, to encompass a
range of applications:

* Security Level 1 specifies basic security, such as a PC encryption

* Security Level 2 adds physical security to Level 1 products by
  requiring tamper-evident coatings or seals, or pick-resistant
  locks. It also requires role-based authentication of users and that
  operating systems meet the new Common Criteria Controlled Access
  Protection Profile. 

* Security Level 3 strengthens physical security, requires
  identity-based authentication, and requires physical separation of
  data ports. There are also additional levels of Common Criteria

* Security Level 4 builds on all of the other requirements, as well as
  the ability to electronically erase information if the environmental
  conditions around the module change dramatically or if there are
  drastic fluctuations in the modules operating ranges. 

NIST maintains a list of vendors and modules with FIPS 140-1 and 140-2
validation on its Web site.

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com 

  By Date           By Thread  

Current thread:
  • New standard set for security William Knowles (Jun 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]