FIPS stands for “Federal Information Processing Standard." The current version, FIPS 140-2, has four security levels. The National Institute of Standards and Technology (NIST) developed the FIPS standard to help protect sensitive government information from hackers. FIPS 140-2 covers all cryptographic hardware, software and firmware modules that handle data and communications.
When you want to ensure that you’re always in compliance with FIPS 140 changes, consider that Digi's entire cellular suite is FIPS 140-2 validated via a simple firmware update using Digi Remote Manager®. Because Digi has simplified implementation of FIPS 140-2, not only do we ensure your FIPS 140 version stays current, but our always up-to-date encryption process makes it easy to implement. You can simply upgrade your firmware and your Digi devices will instantly comply with FIPS 140-2 Level 1. That’s it. Avoid getting stuck with expensive, costly and complicated solutions. And if you need support at any point along your FIPS journey, Digi Professional Services can help.
If you work with the U.S. or Canadian governments and handle sensitive or protected information, your cryptographic modules must be validated to the FIPS 140-2 standard. The Federal Information Security Management Act (FISMA) requires U.S. government agencies, U.S. government contractors, and third parties working for federal agencies to adhere to the FIPS 140-2 standard to protect sensitive data. In fact, any defense contractor handling Controlled Unclassified Information must meet FIPS validation requirements and employ “cryptographic mechanisms” to protect confidentiality. Private sector organizations that comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) must also pass FIPS 140-2 validation.
FIPS 140-2 serves as a benchmark for cryptographic hardware effectiveness. FIPS 140-2 validation means a product meets the rigorous requirements of the U.S. and Canadian governments. However, it isn’t just for governments. Governmental and non-governmental sectors around the globe can require their communications devices to comply with FIPS 140-2 as a best practice cybersecurity benchmark. Because this unified standard provides extraordinary data protection against increasingly sophisticated cyberattacks, it provides a measurable way to harden devices and systems against threats.
Failing to comply with FIPS can result in significant financial and reputational damage. For regulated industries such as government agencies and financial institutions, any significant lapse in compliance can mean these organizations suffer loss of business as well as civil or criminal penalties, fines and government audits.
FIPS 140-2 validation is required for all government entities, including the FBI, the Department of Defense, U.S. Border Patrol, and other agencies handling Controlled Unclassified Information (CUI) on any device. For example, the International Traffic in Arms Regulation (ITAR) addendum highlights FIPS 140-2 standards required for the transmission or storage of technical data outside the United States.
In addition to U.S. government agencies, government contractors must use FIPS 140-2 validated devices to encrypt and protect sensitive data from increasingly sophisticated cyberattacks. Defense contractors, for example, are required to employ FIPS-validated cryptography to protect the confidentiality of Controlled Unclassified Information on all desktop and mobile devices.
Public safety organizations that send sensitive data are a key use case for use of FIPS 140-2 validated devices. In particular, law enforcement agencies must use FIPS 140-2 in the handling of any data transferred wirelessly. Law enforcement officers and staff access the federal Criminal Justice Information System (CJIS), which involves use of Controlled Unclassified Information.
The FIPS 140-2 standard applies to regulated industries that collect, store and transfer sensitive data. This includes government financial operations such as the IRS and the Federal Reserve, as well as many private sector banks and financial services. These organizations use FIPS 140-2 requirements to ensure that their data and communications conform to regulated security standards.
Because health practitioners handle sensitive patient data, FIPS 140-2 validation is increasingly required for devices and software used in healthcare and medical systems. Compliance with these standards helps safeguard electronic health records, medical devices, and communication systems from cyberthreats, ensuring patient privacy and the integrity of critical healthcare information.
FIPS 140-2 compliance is a goal for a range of industries where data must be encrypted. The FIPS 140-2 standard provides a benchmark for ensuring that compliance meets specific requirements. While the standard is not mandated outside of government, medical and financial applications, it can be used for data encryption in manufacturing, transportation, utilities, airport control and other use cases.
The evolution of FIPS now includes FIPS 140-3. There are few major technical changes, most significantly a migration from internally developed security standards towards a set of standards developed and maintained by the international body ISO . Digi is committed to transition to FIPS 140-3 as part of a firmware release prior to the expected expiration of FIPS 140-2 in September, 2026.