FIPS140-2 VALIDATED

---

NIST Sets High Standards for Cryptographic Module Security Implementation

Data-at-Rest (DAR) security has quickly become a critical function in the deployment of Data Storage Devices.

C.O.T.S. storage vendors use terminologies such as Self-Encrypted Drive (SED) or Full-Disk Encryption (FDE), as well as Advanced Encryption Standard (AES) in the device specifications to claim compliance with DAR security requirements. Is this enough?

USA and other governments say NO. The US and Canadian authorities have set a higher security benchmark by defining the Federal Information Processing Standards (FIPS) Publication 140-2 (FIPS 140-2), the standard for defining design, implementation and operation requirements for a cryptographic module.

What does FIPS140-2 test for?

FIPS 140-2 is a US government standard that specifies the security requirements for cryptographic modules, including hardware and software components that perform cryptographic functions such as encryption and decryption. The standard defines four levels of security requirements that cryptographic modules must meet, ranging from level 1, which provides basic security functions, to level 4, which provides the highest level of security. The level of security required for a specific application depends on the sensitivity of the data being protected and the potential consequences of a security breach.

•  Level 1: The lowest level of security, which provides basic security functions and is applicable to modules that have limited requirements for security.
•  Level 2: Provides tamper-evident features and role-based authentication to prevent unauthorized access to critical security parameters.
•  Level 3: Provides physical security mechanisms that detect and respond to attempts to access the module's critical security parameters.
•  Level 4: The highest level of security, which provides the most robust protections against physical and logical attacks. This level requires a higher degree of physical security than level 3 and includes additional requirements for the module's design and operational environment.

The FIPS 140-2 validation process tests cryptographic modules against a set of rigorous security requirements that cover areas such as cryptographic algorithms, key management, physical security, and operational environments. The tests include both functional and design assurance requirements to ensure that the cryptographic module operates correctly and securely and that its design and implementation are free from vulnerabilities. The validation process involves a comprehensive testing and evaluation process performed by accredited third-party laboratories, and cryptographic modules must pass all tests to receive FIPS 140-2 certification.

FIPS 140-2 Validated vs. ‘Compliant’ vs. ‘Eligible’ vs. ‘Designed to Meet’

“FIPS validated” is the only phrase that describes acceptance by NIST of a fully tested module. “FIPS compliant”, “FIPS Eligible” or “Designed to Meet” are merely marketing terms of confusion.

If you're looking for FIPS140-2 validated, make sure to ask your vendor their certificate number, and look them up on the NIST website for which products have been validated.

MEMKOR FIPS140-2 Level-2 Certificate #3750

Link to NIST.gov - Cert 3750

The FIPS 140-2 benchmark is so high that only a few SSD manufacturers have been able to successfully complete FIPS 140-2 validation. The FIPS 140-2 not only validates the encryption engine itself, but it also considers a much broader and more complex way of looking into existing ports and interfaces. It evaluates internal states of the module from a security standpoint. It checks how random the “random number generator” really is, how good the authentication algorithm is, and assesses how the Cryptographic Keys are created, managed and protected. It also includes a self-test requirement to make sure that the module verifies in real-time that all security components are still operating as they were validated. Tamper evident or anti-tamper construction is required. A number of underlying technologies require a separate NIST certifications and are pre-requisites to FIPS 140-2 validation. Notably, FIPS-197 process certifies the suitability of the encryption algorithm.

MEMKOR FIPS 140-2 Validated MKD-O2F Cryptographic Modules

MEMKOR MKD-O2F family of cryptographic modules, validated to FIPS140-2 Level-2.

In addition to meeting the stringent security requirements of the FIPS 140-2 standard, MEMKOR Military-grade SSDs are built to withstand extreme temperatures, extreme shock, and extreme vibration, making them ideal for use in harsh environments where standard SSDs fail. MEMKOR FIPS140-2 solutions span across our 30gRMS ruggedized BLACK-series and 16.3gRMS high performance ORANGE-series SSDs. Available in a broad spectrum of form factors, including 2.5” SATA and PCIe/NVMe, or M.2 SATA, with capacities ranging from 250GB to 4TB.

 MEMKOR SSDs are built using high-endurance NAND, which provides reliable performance and endurance under heavy workloads in temperature extremes. Ruggedization features include ruggedized components and PCB, rugged connectors, conformal coating, and advanced thermal management technologies.

With the added ruggedization, MEMKOR FIPS 140-2 validated SSDs are a top choice for military and aerospace applications that require highly reliable and secure storage solutions in the field. Secure your Data. Protect your Data.

For more information, check out our blog entries about FIPS140-2 and FIPS140-3

• Cracking the Code: FIPS140-2 and FIPS140-3
• Details behind of FIPS 140-2
• Protecting Data-At-Rest (DAR)
• SSD Security - Encryption | FIPS Compliance | TCG OPAL