In SAS 9.3, FIPS
140-2 standards are supported for
SAS/SECURE and SSL Encryption technologies.
FIPS 140-2 is not a technology, but a definition of what security
mechanisms should do. FIPS 140-2 is the current version of the Federal
Information Processing Standardization 140 (FIPS 140) publication.
FIPS 140-2 is a standard that describes US Federal government requirements
that IT products should meet for Sensitive,but Unclassified (SBU)
use. The standard defines the security requirements that must be satisfied
by a cryptographic module used in a security system protecting unclassified
information within IT systems. FIPS 140-2 requires organizations that
do business with a government agency or department that requires the
exchange of sensitive information, to ensure that they meet the FIPS
140-2 security standards. In addition, the financial community increasingly
specifies FIPS 140-2 as a procurement requirement.
The National Institute
of Standards and Technology (NIST) issued the FIPS 140 Publication
Series to coordinate the requirements and standards for cryptography
modules that include both hardware and software components. Federal
agencies and departments can validate that the module in use is covered
by an existing FIPS 140-1 or FIPS 140-2 certificate that specifies
the exact module name, hardware, software, firmware, and applet version
numbers. For more information, see
SECURITY REQUIREMENTS FOR
CRYPTOGRAPHIC MODULES.
There are four levels
of security: from Level 1 (lowest) to Level 4 (highest).The security
requirements cover areas related to the secure design and implementation
of a cryptographic module. These areas include basic design and documentation,
module interfaces, authorized roles and services, physical security,
software security, operating system security, key management, cryptographic
algorithms, electromagnetic interference/electromagnetic compatibility
(EMI/EMC), and self-testing.