Skip to navigation Skip to content

FIPS Compliant Is Not The Same As FIPS Certified

Minute Read

The Federal Information Processing Standard 140-2 (or FIPS 140-2) is a cryptography standard that non-military U.S. federal agencies, as well as government contractors and service providers, must comply with in order to work with any federal government entities that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. The FIPS 140-2 security standard is recognized by the U.S. and Canadian governments, as well as by the European Union.


FIPS 140-2 Is Important To Both The Public And Private Sectors

Because of the robust level of protection offered under FIPS 140-2, many state and local government agencies, as well as enterprises in the energy, transportation, manufacturing, healthcare and financial services sectors, depend on FIPS 140-2 as their go-to cryptography module standard. Given the importance of FIPS 140-2 to both the public and private sectors, it’s important to understand the difference between FIPS compliant or enabled and FIPS certified or validated.


Inside The FIPS Validation Process

In order to become FIPS 140-2 validated or certified, all components of a security solution (both hardware and software) must be tested and approved by one of the following NIST accredited independent laboratories:

  • Advanced Data Security (San Jose, CA)
  • AEGISOLVE, Inc. (Mountainview, CA)
  • Acumen Security (Rockville, MD)
  • atsec Information Security Corporation (Austin, TX)
  • Booz Allen Hamilton Cyber Assurance Testing Laboratory (Laurel, MD)
  • COACT, Inc. Labs (Columbia, MD)
  • CygnaCom Solutions, Inc. (McLean, VA)
  • Gossamer Security Solutions (Catonsville, MD)
  • Leidos Accredited Testing & Evaluation Lab (Columbia, MD)
  • Penumbra Security, Inc. (Clakamas, OR)
  • UL Verification Service, Inc. (San Luis Obispo, CA)


As part of the FIPS 140-2 validation process, which generally takes 6-9 months, detailed documentation and source code must be sent to the testing laboratory. If the software fails during testing, it must be fixed and the the testing process must be repeated from the start. If any portion of the software code changes, the code must be re-validated to ensure no errors have been introduced.


Why FIPS Complaint Isn’t Enough

IT security solutions that are marketed as being FIPS compliant are making a claim that the product meets FIPS requirements. However, this very different than if a NIST-approved laboratory validates that the product meets FIPS requirements. During FIPS certification, the file transfer software and client and server applications are each independently tested to confirm they meet FIPS standards and are also checked for security vulnerabilities, predictable number generation and reckless disposal of keys.


Insist On FIPS Certified

The GoSilent Cube portable VPN/firewall offers robust encryption protection algorithms and design and uses FIPS CAVP certified algorithms. GoSilent deploys AES 256-bit encryption to protect sensitive data via dual tunnel, end-to-end encryption. Data never gets stored on an intermediary server, and no extra keys are ever generated.


As a fully portable, plug-and-play solution, GoSilent combines ease of use with Top Secret, government-grade protection. Today, GoSilent is protecting mission critical intellectual property and data worldwide for public and private sectors.

Read our product overview and customer use cases to learn more about how GoSilent secures the privacy and security of government agencies and enterprises in any sector.