FIPS 140-2: Validation versus Compliance

The Federal Information Processing Standards (FIPS) are a set of guidelines defined by the National Institute of Standards and Technology (NIST) regarding information processing, encryption, and IT infrastructure for the management of sensitive-but-unclassified (SBU) data. FIPS serves as a standard for IT operations & infrastructure with respect to government agencies. Business entities who wish to handle some or all of an agency’s communications needs must undergo FIPS-validation testing. FIPS-validation signals to business partners in the government domain: this product does what you need it to do, in the way you need it done. Specifically, FIPS 140-2 is designed to ensure that a product’s cryptographic modules and processing mechanisms are up to the mandated standard for SBU data.

When considering products or services for handling an agency’s information, it is common to see two variations of FIPS accreditation: FIPS validated and FIPS compliant. Although they seem similar, there are different implications with these two labels. 

FIPS Validation means a product has undergone and passed detailed conformance testing at an accredited national laboratory.

FIPS Compliance means that different components of a product have received FIPS validation, but the product in its entirety has not passed testing or has not been tested at all.

This is an important distinction as one term (validation) denotes a fully standardized and conformant solution, while the other (compliance) does not.

REDCOM products such as REDCOM Sigma® and the REDCOM Secure Client for Android have passed FIPS 140-2 validation testing, meaning that we can provide standardized, secure solutions for government agencies by appropriately handling SBU data.