FIPS 140-2 (Federal Information Processing Standard Publication 140-2) is a U.S. government standard developed by the National Institute of Standards and Technology (NIST) that specifies the security requirements for cryptographic modules—the hardware, software, or firmware components that perform cryptographic operations. It defines four ascending security levels (Level 1 through Level 4) that govern everything from basic algorithm implementation to tamper-resistant physical enclosures.
Glossary
FIPS 140-2

What is FIPS 140-2?
A U.S. government standard defining security requirements for cryptographic modules that protect sensitive but unclassified data, including electronic protected health information in federal healthcare systems.
For healthcare AI deployments handling electronic protected health information (ePHI), FIPS 140-2 validation is mandatory when operating within federal systems or when contracts stipulate NIST compliance. The standard mandates the use of approved algorithms like AES-256 and SHA-384, validated through the Cryptographic Module Validation Program (CMVP). Achieving FIPS 140-2 certification ensures that encryption at rest and in transit meets rigorous, independently verified security benchmarks.
The Four Security Levels of FIPS 140-2
FIPS 140-2 defines four ascending security levels that specify the requirements for cryptographic modules. Each level builds upon the previous one, adding more rigorous physical security mechanisms and identity-based authentication to protect sensitive data like ePHI in federal healthcare systems.
Level 1: Basic Production-Grade
The foundational level requiring approved algorithms and correct implementation, but no physical security mechanisms beyond basic production-grade components.
- Requires only an approved algorithm (e.g., AES-256) and a validated implementation
- No physical security mechanisms are mandated; a standard PC or server is acceptable
- Ideal for software-only cryptographic modules running on general-purpose operating systems
- Authentication is optional; if present, it requires only role-based authorization
- Example: A software library performing encryption on a standard cloud VM instance
Level 2: Tamper-Evident Coatings
Adds requirements for tamper-evidence and role-based authentication, making it suitable for dedicated hardware where physical access is controlled.
- Requires tamper-evident coatings or seals that show visible signs of physical intrusion
- Mandates role-based authentication where an operator must explicitly assume an authorized role
- Allows software execution on a general-purpose OS evaluated at CC EAL2 or higher
- Designed for environments where operators have controlled but not fully trusted physical access
- Example: A hardware security module (HSM) deployed in a locked data center rack
Level 3: Tamper-Resistant Enclosures
Requires tamper-resistant physical enclosures and identity-based authentication, preventing an attacker from accessing critical security parameters (CSPs) within the module.
- Enclosures must zeroize all plaintext CSPs upon detection of a physical breach
- Authentication shifts to identity-based mechanisms, verifying the specific individual, not just a role
- Physical ports for CSPs must be physically separated from other ports or logically disabled
- Software must run on an OS evaluated at CC EAL3 with additional security functional requirements
- Example: A FIPS-certified smart card or a hardened VPN appliance in a field-deployed telecom cabinet
Level 4: Complete Envelope of Protection
The highest level, providing a complete envelope of protection that detects and responds to all unauthorized physical access attempts, designed for operation in physically unprotected environments.
- Enclosure must detect penetration attempts from any direction and immediately zeroize all CSPs
- Protects against environmental attacks such as extreme temperature, voltage, or pressure fluctuations
- Designed for operation in physically unprotected environments where an attacker has full access
- Software must run on an OS evaluated at CC EAL4 with stringent security functional requirements
- Example: A military-grade cryptographic module deployed in an unattended field sensor or satellite
Frequently Asked Questions
Clear answers to the most common questions about the Federal Information Processing Standard for cryptographic modules, its security levels, and its role in protecting sensitive healthcare data in federal systems.
FIPS 140-2 is a U.S. government standard developed by the National Institute of Standards and Technology (NIST) that specifies the security requirements for cryptographic modules—the hardware, software, or firmware that implements cryptographic algorithms. It is required for any system that processes sensitive but unclassified (SBU) data within federal agencies, including electronic Protected Health Information (ePHI) in systems like the VA, DoD healthcare networks, and Medicare/Medicaid infrastructure. For healthcare AI deployments, FIPS 140-2 validation ensures that the encryption protecting patient data at rest and in transit meets a rigorously tested, government-recognized benchmark. Without it, a cloud-based clinical NLP pipeline or a prior authorization automation system cannot legally process data for federal healthcare programs. The standard defines four ascending Security Levels (Level 1 through Level 4), each imposing stricter physical and logical security requirements on the cryptographic module.
FIPS 140-2 vs. Common Criteria vs. HIPAA Encryption
Distinctions between cryptographic module validation, system security evaluation, and regulatory encryption requirements for healthcare data protection.
| Feature | FIPS 140-2 | Common Criteria | HIPAA Encryption |
|---|---|---|---|
Primary Focus | Cryptographic module security | IT product security evaluation | ePHI confidentiality and integrity |
Governing Body | NIST (U.S.) | ISO/IEC 15408 (International) | HHS/OCR (U.S.) |
Mandatory for Federal Systems | |||
Specifies Algorithm Requirements | |||
Addresses Physical Tamper Resistance | |||
Defines Breach Safe Harbor | |||
Evaluation Assurance Levels | 4 Security Levels (1-4) | 7 EALs (EAL1-EAL7) | |
Typical Validation Duration | 6-12 months | 12-24+ months |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
FIPS 140-2 is a cornerstone of federal healthcare security. These related concepts define the broader ecosystem of cryptographic validation, key management, and regulatory frameworks required to protect sensitive unclassified data in clinical environments.
FIPS 140-3
The successor to FIPS 140-2, published in 2019, which aligns U.S. cryptographic module validation with the international ISO/IEC 19790:2012 standard. Key changes include:
- Mandatory non-invasive physical security testing for all levels
- New software/firmware security requirements replacing the old 'operational environment' model
- Stricter self-testing requirements for critical functions
- A phased transition period where FIPS 140-2 certificates remain valid until September 2026, after which new submissions must target 140-3
NIST SP 800-53
The Security and Privacy Controls for Information Systems and Organizations catalog that mandates the use of FIPS 140-2 validated cryptography. Specific controls include:
- SC-13: Cryptographic Protection — requires FIPS-validated modules for federal systems
- SC-28: Protection of Information at Rest — mandates encryption of stored ePHI
- SC-8: Transmission Confidentiality and Integrity — requires encrypted data in transit Healthcare organizations pursuing FedRAMP or DoD IL4/IL5 authorization must demonstrate compliance with these controls, making FIPS 140-2 a non-negotiable dependency.
Hardware Security Module (HSM)
A dedicated physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing at FIPS 140-2 Level 3 or higher. In healthcare cloud architectures:
- AWS CloudHSM and Azure Dedicated HSM provide single-tenant, FIPS 140-2 Level 3 validated appliances
- HSMs perform encryption, decryption, and signing operations within a tamper-resistant hardware boundary
- They are critical for protecting the root of trust in a healthcare PKI, securing the keys that encrypt ePHI at scale
- Unlike software modules, Level 3 HSMs zeroize all keys if physical tampering is detected
Encryption at Rest
A HIPAA addressable implementation specification that requires covered entities to protect ePHI stored on physical media. FIPS 140-2 validated modules provide the algorithmic assurance:
- AES-256 in FIPS mode is the de facto standard for encrypting EBS volumes, S3 buckets, and database tables in healthcare clouds
- The cryptographic module, not just the algorithm, must be validated — an AES implementation without a FIPS certificate is non-compliant for federal systems
- Envelope encryption patterns use a FIPS-validated master key (stored in an HSM or KMS) to encrypt data keys that protect the actual data

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us