Encryption is a vital element for protecting sensitive business data, but encryption that meets Federal Information Processing Standards (FIPS) brings your security to a whole new level.
FIPS identifies security requirements for cryptographic modules, which are the hardware, software, and/or firmware programs that execute security functions.
When it comes to encrypting information, there is no single standard way of transforming clear text into ciphertext. Methods and algorithms vary, and not all encryption processes are equally effective.
While many private sector businesses can use whatever encryption scheme works best for them, certain organizations, such as the US Federal Government, require the non-military agencies it works with to meet FIPS 140-2.
What is FIPS 140-2?
Developed by the National Institute of Standards and Technology (NIST), F
IPS 140-2 identifies security requirements for cryptographic modules and ensures that the government’s sensitive information is protected.
FIPS 140-2 has four levels of security, with the higher levels providing more robust protection features than lower ones:
- Level 1 has the simplest requirements, such as using a tested encryption algorithm and using production-grade equipment.
- Level 2 factors in physical security protections, requiring role-based authentication and tamper-evident technology, such as seals and pick-resistant locks. Cryptographic modules must be run in an evaluated operating system environment.
- Level 3 is the most common level of organizational compliance because it balances security with ease of use. It takes the requirements of levels one and two and adds additional physical securities, such as tamper-resistant devices, strong module enclosures, and the separation of ports or interfaces to protect components from unauthorized actions.
- Level 4 provides the highest level of security, requiring a trusted operating system environment and enhanced physical security mechanisms.
What is FIPS 140-2 encryption used for?
FIPS 140-2 security requirements apply to sensitive but unclassified (SBU) information. Federal law defines SBU material as information that is not classified for reasons of national security but that merits protection from unauthorized or public disclosure for other reasons.
Examples of sensitive but unclassified information include:
- Personal information about employees (e.g., payroll information, medical records).
- Confidential business information (e.g., trade secrets, contractor proposals).
- Protected health information (PHI).
- Personally identifiable information (PII).
- Law enforcement information.
- Privileged attorney-client communications.
- Material identified as For Official Use Only (FOUO).
What organizations require FIPS 140-2 compliance?
The Federal Information Security Modernization Act (FISMA) requires federal agencies to develop and implement information security and protection programs based on key security standards and guidelines.
FISMA requirements, including FIPS 140-2 validation, also apply to any private organizations or individuals involved in a contractual relationship with the US government.
In addition to federal agencies, many state and local governmental bodies use FIPS 140-2 to protect sensitive data. For example, state agencies that administer federal programs (e.g., Medicare, Medicaid, or unemployment insurance) must comply with FISMA’s mandates.
In general, any company that handles private customer data benefits from FIPS 140-2 compliancy.
Organizations in the private sector can also use FIPS 140-2 to strengthen their data protection programs. This is especially important for industries that are subject to federal regulations governing data security. These non-governmental organizations include, but are not limited to, healthcare, finance, merchants and service providers, and manufacturers.
Healthcare
The healthcare industry is tasked with safeguarding protected health information, or PHI. Modern technologies have changed the methods and platforms that providers and patients use to interact, but they must meet certain specifications for HIPAA compliance.
To protect sensitive healthcare data, the US Department of Health and Human Services (HHS) recommends using encryption processes that are FIPS 140-2 validated.
Banking and Finance
Banks and financial organizations collect and generate large volumes of personally identifiable information and nonpublic personal information (NPI). The Gramm-Leach-Bliley Act (GLBA) requires companies that provide financial or services to protect their customers’ sensitive data.
With institutional penalties for GLBA infractions running as high as $100,000 per violation, FIPS 140-2 encryption ensures that customer records and information are protected against potential threats.
Merchants and Service Providers
Any entity that handles payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS stipulates that companies that process, store, or transmit payment card data must encrypt the data both at rest and in transit. Failure to do so can result in fines and penalties.
Manufacturing and Product Testing
Devices that process and receive electronic data use encryption to keep the information secure. Manufacturers and testers of electronic devices must remain in compliance with industry standards to address and prevent security vulnerabilities.
To streamline this process, NIST requires any product that adheres to the international standard use FIPS-compliant encryption.
Why is FIPS 140-2 important?
Data encryption is a key element of an organization’s data security strategy. In addition to adhering to applicable laws and regulations, FIPS 140-2 encryption ensures that consumer data won’t be compromised in the event of a breach.
FIPS 140-2 compliance ensures a high degree of system security, which is critical in the protection of sensitive but unclassified information. Obtaining FIPS 140-2 validation demonstrates that the technology has passed rigorous testing with an accredited lab, ensuring that the product can be used to protect sensitive information.
The FISMA mandates that vendors must satisfy FIPS 140-2 requirements in order to sell their solutions to the government. Non-compliance with FISMA security standards puts agencies and organizations at an increased risk of system vulnerabilities that could compromise their sensitive but unclassified data.
Government agencies—or the associated private companies or contractors they work with—may face a range of penalties for failing to comply with the FISMA, such as reputation damage, congressional censure, or a reduction in funding.
WinZip Enterprise offers FIPS 140-2 compliant security
WinZip® Enterprise shares and stores files securely using an Advanced Encryption Standard (AES) format. This symmetric key is a FIPS 140-2 complaint algorithm. As part of the compliance process, WinZip Enterprise uses FIPS-enabled computers to ensure files are protected in transit and at rest.
Thanks to the strongest layer of FIPS 140-2 encryption, WinZip Enterprise helps safeguard data and ensures that companies meet federal requirements for data protection and encryption.
Fully compatible with leading services like Dropbox, SharePoint, and Google Drive, WinZip Enterprise also makes it easy for end users to share files securely across storage providers, and it is backed by military-grade encryption.
Learn more about how WinZip Enterprise protects your data with FIPS 140-2 encryption.