AGENCY:

National Institute of Standards and Technology (NIST), Commerce.

ACTION:

Notice.

SUMMARY:

The Secretary of Commerce approves FIPS 140-2, Security Requirements for Cryptographic Modules, which supersedes FIPS Standard 140-1, and makes it compulsory and binding on Federal agencies for the protection of sensitive, unclassified information, FIPS 140-1, which was first published in 1994, specified that it would be reviewed within five years. FIPS 140-2 is the result of the review and replaces FIPS 140-1.

DATE:

This standard is effective November 25, 2001.

FOR FURTHER INFORMATION CONTACT:

Mr. Ray Snouffer, (301) 975-4436, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930.

A copy of FIPS 140-2 is available electronically from the NIST website at:

<http://csrc.nist.gov/​cryptval/​>

SUPPLEMENTARY INFORMATION:

FIPS 140-1, Security Requirements for Cryptographic Modules, first issued in 1994, identified requirements for four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data), and a diversity of application environments. Over 140 modules have been tested by accredited private-sector laboratories and validated to-date as conforming to this standard. The standard provided that it be reviewed within five years to consider its continued usefulness and to determine whether new or revised requirements should be added.Start Printed Page 34155

A notice was published in the Federal Register (63 FR 56910) on October 23, 1998, soliciting public comments on reaffirming FIPS 140-1. The comments supported reaffirming FIPS 140-1 with technical modifications to address advances in technology since FIPS 140-1 was issued. A notice was published in the Federal Register (64 FR 62654) on November 17, 1999, soliciting public comments on proposed FIPS 140-2, a revision of FIPS 140-1 making such technical modifications. The comments received (available at http://csrc.nist.gov/​cryptval/​) supported the issuance of proposed FIPS 140-2 with technical and editorial changes. None of them opposed the proposed revision of FIPS 140-1.

The Secretary of Commerce, after making appropriate revisions to proposed FIPS 140-2, approves it, and makes it compulsory and binding on Federal agencies for the protection of sensitive, unclassified information.

Authority: Under Section 5131 of the Information Technology Management Reform Act of 1996 and the Computer Security Act of 1987, the Secretary of Commerce is authorized to approve standards and guidelines for the cost effective security and privacy of sensitive information processed by federal computer systems.

E.O. 12866: This notice has been determined to be significant for the purposes of E.O. 12866.