6

I tried googling for this info but it's not easily available because FIPS 140-1 is now really old.

Does FIPS 140-2 automatically cover FIPS 140-1 - i.e. if a device (in my case an HSM - Hardware security Module) is FIPS 140-2 Level 1 Compliant - does that mean it's automatically FIPS 140-1 Level 4 compliant? In other words does the lowest of level of FIPS 140-2 automatically cover the highest level of FIPS 140-1.

Can FIPS 140-1 and 140-2 together be considered a 8 step process from 140-1 Lev 1 to 140-2 Lev 4 - i.e. if you have covered step X, does that automatically mean covering all steps between 1 to X?

user93353
  • 1,982
  • 3
  • 19
  • 33

1 Answers1

8

The -1 or -2 part is a version number. A module that is FIPS-140-2-compliant is not more secure than a module that is FIPS-140-1-compliant, it is only more up-to-date in the certification process. The requirements for FIPS 140-1 level N and FIPS 140-2 level N are broadly similar. In other words, you get the same amount of security from FIPS 140-2 level 1 as from FIPS 140-1 level 1, and so on. There are 4 steps, not 8 — it's just that the requirements for climbing those steps were tweaked.

You can no longer have a product validated under FIPS 140-1, because it is no longer a current standard. I believe US agencies are still authorized to purchase products based on a FIPS 140-1 certificate, with the same level requirements as for FIPS 140-2 certifications.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179