New Federal Standard for handling sensitive data to take effect

Federal Information Processing Standard 140-1 stipulates requirements for the cryptographic processing of sensitive but unclassified data. This standard is due to become madatory June 30. Many hardware and software products have been designed and ceritified to be FIPS 140-1 compliant. However, there has been some resistance to implementation, especially within the Department of Defense. Primary complaints include the consumption of limited channel capacity, and the need to use Netscape and/or UNIX. Many DoD sites use a Microsoft environment for their Defense Message System communications. This makes it difficult for them to implement FIPS 140-1 because Microsoft products are not currently compliant. (This paragraph largely derived from an article in Government Computer News by Christopher J. Dorobek)

As reported in Cipher EI #20, February 10, 1997, FIPS 140-1 implementation requires that, after 31 January 1997, "only FIPS 140-1 validated cryptographic modules will be considered as meeting the provisions of this standard." Prior to this deadline, it was acceptable to purchase modules that had been submitted for evaluation, but had not yet been validated, or modules that had simply been claimed by their makers to conform to the standard. A list of such modules and more details on the requirements can be found at

The US National Institute of Standards and Technology and the Communications Security Establishment of the Government of Canada are sponsoring a conference, Assuring Cryptographic Security: The Development, Validation, and Use of FIPS 140-1 Compliant Products in Gaithersburg, MD USA May 11-12, 1998. Conference Web page is