0% found this document useful (0 votes)

3 views3 pages

ReportTask 1

Uploaded by

Aqib khan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

3 views3 pages

ReportTask 1

Uploaded by

Aqib khan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 3

Task 1: Comparison of FIPS 140-2, FIPS 140-3, and Common Criteria

1. Introduction

Security standards play a crucial role in ensuring the integrity, confidentiality, and
availability of information systems. This report compares FIPS 140-2, FIPS 140-3,
and Common Criteria (CC)—three widely recognized security evaluation frameworks.

2. FIPS 140-2 (Federal Information Processing Standard 140-2)

Overview

• Published by NIST (National Institute of Standards and Technology) in 2001.

• Defines security requirements for cryptographic modules used in government and

private sectors.

• Focuses on four security levels (Level 1 to Level 4), with increasing security
assurance.

Key Features

• Level 1: Basic security (e.g., encryption algorithms).

• Level 2: Adds role-based authentication and tamper-evident seals.

• Level 3: Requires physical tamper resistance and identity-based authentication.

• Level 4: Highest level, protecting against environmental attacks.

Limitations

• Lacks modern cryptographic algorithms (e.g., SHA-3, AES-256).

• Does not fully address side-channel attacks.

3. FIPS 140-3 (Federal Information Processing Standard 140-3)

Overview

• Released in 2019 as an update to FIPS 140-2.

• Aligns with ISO/IEC 19790:2012 for international consistency.

• Enhances testing methodologies via CMVP (Cryptographic Module Validation

Program).

Key Improvements Over FIPS 140-2

• Stronger cryptographic requirements (e.g., post-quantum resistance
considerations).

• Enhanced physical security (e.g., advanced tamper detection).

• More rigorous testing (e.g., side-channel attack resistance).

• Software/firmware integrity checks (e.g., secure boot).

Security Levels (Same as FIPS 140-2 but Enhanced)

• Level 1: Minimal security.

• Level 2-4: More stringent requirements for authentication, physical security, and
environmental failure testing.

4. Common Criteria (CC) for Information Security Evaluations

Overview

• An international standard (ISO/IEC 15408) for evaluating IT security products.

• Uses Protection Profiles (PPs) and Security Targets (STs) for assessments.

• Provides Evaluation Assurance Levels (EAL 1-7), where higher levels mean stricter
testing.

Key Components

• Security Functional Requirements (SFRs): Defines security capabilities (e.g.,

access control, audit logging).

• Security Assurance Requirements (SARs): Ensures correct implementation.

• Certification Process: Conducted by accredited labs (e.g., NIAP in the U.S.).

Comparison with FIPS 140-2/3

Feature FIPS 140-2 FIPS 140-3 Common Criteria

Cryptographic Cryptographic Broad IT security

Scope
modules modules products

Security Levels 1-4 1-4 EAL 1-7

Enhanced crypto &

Encryption & Comprehensive
Focus side-channel
physical security security evaluation
resistance

International ISO/IEC 15408

U.S. standard Aligns with ISO 19790
Alignment (Global)

Testing EAL-based
CMVP validation CMVP + ISO 19790
Methodology evaluation

5. Conclusion

• FIPS 140-2/3 are specialized for cryptographic modules, with FIPS 140-3 being more
modern.

• Common Criteria is broader, covering diverse IT security products with flexible

assurance levels.

• Organizations handling sensitive government data may require FIPS validation,

while enterprise security products often seek Common Criteria certification.

Security Requirements For Cryptographic Modules: Fips Pub 140-3 (Draft)
No ratings yet
Security Requirements For Cryptographic Modules: Fips Pub 140-3 (Draft)
63 pages
A Security Business Case For Common Criteria
No ratings yet
A Security Business Case For Common Criteria
34 pages
Dod 85
No ratings yet
Dod 85
116 pages
ICMC 2023 C30A Kelvin Desplanque FINAL
No ratings yet
ICMC 2023 C30A Kelvin Desplanque FINAL
22 pages
Trusted Systems Security Guide
No ratings yet
Trusted Systems Security Guide
122 pages
sp800 29
No ratings yet
sp800 29
29 pages
Assignment - Comparison and Contrast On TCSEC, CC, SSE-CMM and ISO27001
100% (1)
Assignment - Comparison and Contrast On TCSEC, CC, SSE-CMM and ISO27001
5 pages
NIST SP 800-56Br2
No ratings yet
NIST SP 800-56Br2
131 pages
Lecture - 12 - Evaluation Standards
No ratings yet
Lecture - 12 - Evaluation Standards
40 pages
CISSP Program Overview
No ratings yet
CISSP Program Overview
19 pages
Trusted Product Evaluation Guide
No ratings yet
Trusted Product Evaluation Guide
34 pages
CompTIA Security+ SY0-701 Exam Guide
No ratings yet
CompTIA Security+ SY0-701 Exam Guide
4 pages
IS 2150 / TEL 2810 CC Evaluation, Risk Management, Legal Issues, Physical Security
No ratings yet
IS 2150 / TEL 2810 CC Evaluation, Risk Management, Legal Issues, Physical Security
66 pages
SP800 53
No ratings yet
SP800 53
123 pages
Digi Connect It 4 Fips 140 KTMM
No ratings yet
Digi Connect It 4 Fips 140 KTMM
6 pages
Unit-1-Cyber Security Specialization - Securing Windows & Linux
No ratings yet
Unit-1-Cyber Security Specialization - Securing Windows & Linux
34 pages
Cyber Security Activities at The
No ratings yet
Cyber Security Activities at The
49 pages
Lecture CC
No ratings yet
Lecture CC
25 pages
Common Criteria and ISA IEC 62443 Comparison-Technical Report
No ratings yet
Common Criteria and ISA IEC 62443 Comparison-Technical Report
10 pages
OS Protection and Security
No ratings yet
OS Protection and Security
22 pages
Security Standards White Paper
100% (1)
Security Standards White Paper
60 pages
System Security Planning Guide
No ratings yet
System Security Planning Guide
8 pages
Week 15 Assurance - 250706 - 114840
No ratings yet
Week 15 Assurance - 250706 - 114840
16 pages
Computer Security I
No ratings yet
Computer Security I
59 pages
NSC Assignment Mark Scheme Autumn 2018
No ratings yet
NSC Assignment Mark Scheme Autumn 2018
5 pages
Nist SP 800-130
No ratings yet
Nist SP 800-130
120 pages
Device Locks Unfortunately
No ratings yet
Device Locks Unfortunately
5 pages
A Guide To Understanding Audit in Trusted Systems: NCSC-TG-001 Library No. S-228,470
No ratings yet
A Guide To Understanding Audit in Trusted Systems: NCSC-TG-001 Library No. S-228,470
32 pages
21IT116-VIBISHANAN S-Ethical Hacking
No ratings yet
21IT116-VIBISHANAN S-Ethical Hacking
10 pages
Network Intrusion Detection-An Analyst's Handbook
No ratings yet
Network Intrusion Detection-An Analyst's Handbook
22 pages
NCSC-TG-023 A Guide To Security Testing and Test Documentation in Trusted Systems (Bright Orange Book)
No ratings yet
NCSC-TG-023 A Guide To Security Testing and Test Documentation in Trusted Systems (Bright Orange Book)
124 pages
Assessing and Improving Cybersecurity Maturity For Smes: Standardization Aspects
No ratings yet
Assessing and Improving Cybersecurity Maturity For Smes: Standardization Aspects
8 pages
White Paper - Embedded System Security
No ratings yet
White Paper - Embedded System Security
33 pages
P2 M810 Audtec
No ratings yet
P2 M810 Audtec
11 pages
6003
No ratings yet
6003
73 pages
NHTSA Cyber Security Best Practices Study: December 7, 2011
No ratings yet
NHTSA Cyber Security Best Practices Study: December 7, 2011
17 pages
Systems Security Engineering: NIST Special Publication 800-160
No ratings yet
Systems Security Engineering: NIST Special Publication 800-160
121 pages
CISSP Certification Essentials
67% (3)
CISSP Certification Essentials
13 pages
Sp800 37r2 Draft Ipd
No ratings yet
Sp800 37r2 Draft Ipd
149 pages
System Security
No ratings yet
System Security
4 pages
Cissp 4
No ratings yet
Cissp 4
8 pages
Mindmap Cissp Khusu
No ratings yet
Mindmap Cissp Khusu
70 pages
Cissp® - New
No ratings yet
Cissp® - New
16 pages
Fipspub 190
No ratings yet
Fipspub 190
64 pages
What Is FIPS 140?
No ratings yet
What Is FIPS 140?
2 pages
Paramean - Serverless - Infraless
No ratings yet
Paramean - Serverless - Infraless
13 pages
Systems Security Engineering: NIST Special Publication 800-160
No ratings yet
Systems Security Engineering: NIST Special Publication 800-160
257 pages
Segurança Cibernética Na Automação Industrial
No ratings yet
Segurança Cibernética Na Automação Industrial
31 pages
Course Overview: This Course Provides In-Depth Coverage of The Eight Domains Required To Pass The CISSP Exam
No ratings yet
Course Overview: This Course Provides In-Depth Coverage of The Eight Domains Required To Pass The CISSP Exam
30 pages
Comprehensive IT Governance Standards
0% (1)
Comprehensive IT Governance Standards
1 page
Draft: Security Requirements For Cryptographic Modules
No ratings yet
Draft: Security Requirements For Cryptographic Modules
8 pages
NIST Reference Documents
No ratings yet
NIST Reference Documents
4 pages
A Layered Security Architecture: Design Issues
No ratings yet
A Layered Security Architecture: Design Issues
12 pages
Security Bscis 422 Outline
No ratings yet
Security Bscis 422 Outline
4 pages
Secure Networks (Firewall)
No ratings yet
Secure Networks (Firewall)
33 pages
Feasibility Analysis
No ratings yet
Feasibility Analysis
2 pages
TransectionManagement Part1
No ratings yet
TransectionManagement Part1
29 pages
Lecture 9
No ratings yet
Lecture 9
31 pages
Accountability and Auditing
No ratings yet
Accountability and Auditing
15 pages
Source Code
No ratings yet
Source Code
7 pages
PDC Lecture 12
No ratings yet
PDC Lecture 12
42 pages
Assignment 4 (21-cs-51 & 21-cs-98)
No ratings yet
Assignment 4 (21-cs-51 & 21-cs-98)
8 pages
App File
No ratings yet
App File
1 page
Assignment 3
No ratings yet
Assignment 3
1 page
Excel 365 Lab Evaluation Sample
No ratings yet
Excel 365 Lab Evaluation Sample
6 pages
PDC-Assignment 03 1
No ratings yet
PDC-Assignment 03 1
1 page
Muhammad Sameer Ahmed 23-CS-56 Assignment 2
No ratings yet
Muhammad Sameer Ahmed 23-CS-56 Assignment 2
3 pages
Legacy Asset Data Transfer Guide
No ratings yet
Legacy Asset Data Transfer Guide
18 pages
Faa STC Sa02571se
No ratings yet
Faa STC Sa02571se
3 pages
Gaurav Dang: Senior Product Manager Expertise
No ratings yet
Gaurav Dang: Senior Product Manager Expertise
1 page
It Policy Latest
No ratings yet
It Policy Latest
17 pages
Rizal Law and Filipino Nationalism
No ratings yet
Rizal Law and Filipino Nationalism
13 pages
VAHAN 4.0 (Citizen Services) Onlineapp02 150 8013 A
No ratings yet
VAHAN 4.0 (Citizen Services) Onlineapp02 150 8013 A
1 page
Guidance Document Food Safety and Quality Culture V6 1
No ratings yet
Guidance Document Food Safety and Quality Culture V6 1
20 pages
(Ebook) ICAO Doc 9284 Technical Instructions For The Safe Transport of Dangerous Goods by Air by ICAO ISBN 9789292495824, 9292495828
100% (4)
(Ebook) ICAO Doc 9284 Technical Instructions For The Safe Transport of Dangerous Goods by Air by ICAO ISBN 9789292495824, 9292495828
81 pages
Nursing Patient Safety Incident Report
No ratings yet
Nursing Patient Safety Incident Report
9 pages
NABL Density Certificate For Nitrile Rubber Tube Insulation For Hvac
No ratings yet
NABL Density Certificate For Nitrile Rubber Tube Insulation For Hvac
1 page
HRM Suggestions
No ratings yet
HRM Suggestions
3 pages
Comaroffs, Occult Economies (1999)
No ratings yet
Comaroffs, Occult Economies (1999)
26 pages
Difusor Beyma
No ratings yet
Difusor Beyma
2 pages
Master Rotation
No ratings yet
Master Rotation
6 pages
Statement Sep 2024
No ratings yet
Statement Sep 2024
2 pages
TCM Fd30t3 - fd30c3z Vol.1
100% (1)
TCM Fd30t3 - fd30c3z Vol.1
600 pages
WPS 19
100% (1)
WPS 19
15 pages
Comission Amen To
No ratings yet
Comission Amen To
8 pages
MG 1351 - Principles of Management 20 Essay Questions and
93% (112)
MG 1351 - Principles of Management 20 Essay Questions and
15 pages
Source Codes Ma Adx Ea
No ratings yet
Source Codes Ma Adx Ea
16 pages
Solutions For Tutorial Sheet 3
No ratings yet
Solutions For Tutorial Sheet 3
16 pages
Pi - Titan Utto To-4 Sae 60 - 08.22
No ratings yet
Pi - Titan Utto To-4 Sae 60 - 08.22
3 pages
Custom Partition - Building Data Streaming Applications With Apache Kafka
No ratings yet
Custom Partition - Building Data Streaming Applications With Apache Kafka
1 page
Informed Consent
No ratings yet
Informed Consent
2 pages
Call History 640273efa1d48
No ratings yet
Call History 640273efa1d48
2 pages
Unit Plan For Class 10
No ratings yet
Unit Plan For Class 10
5 pages
Đề Thi Chính Thức Vào 10 Môn Anh Năm Học 2022 2023 TP. Hồ Chí Minh
100% (1)
Đề Thi Chính Thức Vào 10 Môn Anh Năm Học 2022 2023 TP. Hồ Chí Minh
5 pages
AMAF - ASEAN - Gender Mainstreaming Guidelines
No ratings yet
AMAF - ASEAN - Gender Mainstreaming Guidelines
28 pages
Air Drill 8843914 PDF
No ratings yet
Air Drill 8843914 PDF
14 pages
Assignment - I
No ratings yet
Assignment - I
2 pages

ReportTask 1

Uploaded by

ReportTask 1

Uploaded by

Task 1: Comparison of FIPS 140-2, FIPS 140-3, and Common Criteria

2. FIPS 140-2 (Federal Information Processing Standard 140-2)

• Published by NIST (National Institute of Standards and Technology) in 2001.

• Defines security requirements for cryptographic modules used in government and

• Level 1: Basic security (e.g., encryption algorithms).

• Level 2: Adds role-based authentication and tamper-evident seals.

• Level 3: Requires physical tamper resistance and identity-based authentication.

• Level 4: Highest level, protecting against environmental attacks.

• Lacks modern cryptographic algorithms (e.g., SHA-3, AES-256).

• Does not fully address side-channel attacks.

3. FIPS 140-3 (Federal Information Processing Standard 140-3)

• Released in 2019 as an update to FIPS 140-2.

• Aligns with ISO/IEC 19790:2012 for international consistency.

• Enhances testing methodologies via CMVP (Cryptographic Module Validation

Key Improvements Over FIPS 140-2

• Enhanced physical security (e.g., advanced tamper detection).

• More rigorous testing (e.g., side-channel attack resistance).

• Software/firmware integrity checks (e.g., secure boot).

Security Levels (Same as FIPS 140-2 but Enhanced)

• Level 1: Minimal security.

4. Common Criteria (CC) for Information Security Evaluations

• An international standard (ISO/IEC 15408) for evaluating IT security products.

• Security Functional Requirements (SFRs): Defines security capabilities (e.g.,

• Security Assurance Requirements (SARs): Ensures correct implementation.

• Certification Process: Conducted by accredited labs (e.g., NIAP in the U.S.).

Feature FIPS 140-2 FIPS 140-3 Common Criteria

Cryptographic Cryptographic Broad IT security

Security Levels 1-4 1-4 EAL 1-7

Enhanced crypto &

International ISO/IEC 15408

• Common Criteria is broader, covering diverse IT security products with flexible

• Organizations handling sensitive government data may require FIPS validation,

You might also like