Security Requirements for Cryptographic Modules (FIPS 140-2)

The system is intended for commercial use. Since it uses encryption to perform security functions, it is subject to the guidelines set forth by NIST in the FIPS 140-2 publication for agencies that require compliance. The module validation process is called the Cryptographic Module Validation Program, and is outlined in the FIPS 140-2 publication. FIPS 140-2 is an all-encompassing encryption standard and specifies key management, communication mechanisms, and so forth.

The abstract from the FIPS 140-2 publication is provided here for convenience:

The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security in its computer and telecommunication systems. This publication provides a standard that will be used by Federal organizations when these organizations specify that cryptographic- based security systems are to be used to provide protection for sensitive or valuable data. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. This standard specifies the security requirements that will be satisfied by a cryptographic module. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/ electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

(http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)