The Algorithm
The Algorithm/Knowledge Base/FIPS 140
Cryptographic Standard

FIPS 140

FIPS 140 is the US federal standard for cryptographic modules — mandatory for any system handling sensitive federal data, and the hidden compliance requirement that breaks unprepared FedRAMP and CMMC implementations.

What You Need to Know

Federal Information Processing Standard 140 (FIPS 140) specifies the security requirements for cryptographic modules used by federal agencies to protect sensitive information. FIPS 140-3 (aligned with ISO/IEC 19790) defines four security levels. FIPS 140-2 remains widely referenced in existing authorizations. Cryptographic modules — software libraries, hardware security modules, or firmware — must be validated by an accredited laboratory and listed on the NIST Cryptographic Module Validation Program (CMVP) to be considered FIPS-compliant.

FIPS 140 compliance is a practical engineering constraint that is frequently discovered too late. The requirement applies not just to encryption algorithms but to the specific cryptographic module implementation. OpenSSL is not FIPS-validated. The BoringCrypto module that Google maintains for federal use is validated. AWS FIPS endpoints use validated modules. The distinction between "uses AES-256" and "uses a FIPS 140-2 validated module to perform AES-256" is exactly what FedRAMP and CMMC assessors test — and where unprepared systems fail.

The architectural implications of FIPS 140 are significant. Systems must be configured to use only FIPS-validated cryptographic modules at every layer: TLS cipher suite configuration, database encryption, key management, code signing, and certificate validation. Using a non-FIPS-validated library for any of these creates a compliance gap. FIPS-compliant architectures must be designed from the first infrastructure decision, not retrofitted after assessment.

How We Handle It

We architect FIPS 140 compliance into systems from day one — selecting FIPS-validated cryptographic modules at every layer, configuring TLS to use only approved cipher suites, deploying AWS GovCloud or Azure Government FIPS endpoints where required, and enforcing FIPS compliance through policy-as-code checks that block non-compliant cryptographic configurations before deployment.

Services
Service
Compliance Infrastructure
Service
Government Technology
Service
Cloud Infrastructure & Migration
Related Frameworks
FedRAMPFISMACMMC
NIST
DECISION GUIDE

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.

§

Compliance built at the architecture level.

Deploy a team that knows your regulatory landscape before they write their first line of code.

Start the conversation
Related
Service
Compliance Infrastructure
Service
Cloud Infrastructure & Migration
Related Framework
FedRAMP
Related Framework
FISMA
Related Framework
CMMC
Platform
ALICE Compliance Engine
Service
Compliance Infrastructure
Engagement
Surgical Strike (Tier I)
Why Switch
vs. Accenture
Get Started
Start a Conversation
Engage Us