FIPS 140-2

Cybersecurity standards are evolving to ensure that devices and data are secure. The FIPS 140-2 standard is designed to protect sensitive data in a range of applications.

Digi FIPS 140-2 Logo

What Is FIPS 140-2?

FIPS stands for “Federal Information Processing Standard." The current version, FIPS 140-2, has four security levels. The National Institute of Standards and Technology (NIST) developed the FIPS standard to help protect sensitive government information from hackers. FIPS 140-2 covers all cryptographic hardware, software and firmware modules that handle data and communications.

Diagram showing Digi products use cases

Digi FIPS 140-2 LogoWhen you want to ensure that you’re always in compliance with FIPS 140 changes, consider that Digi's entire cellular suite is FIPS 140-2 validated via a simple firmware update using Digi Remote Manager®. Because Digi has simplified implementation of FIPS 140-2, not only do we ensure your FIPS 140 version stays current, but our always up-to-date encryption process makes it easy to implement. You can simply upgrade your firmware and your Digi devices will instantly comply with FIPS 140-2 Level 1. That’s it. Avoid getting stuck with expensive, costly and complicated solutions. And if you need support at any point along your FIPS journey, Digi Professional Services can help.

Digi has achieved FIPS validation for all Digi devices based on the Digi Accelerated Linux operating system (DAL OS), including:

Why You Need FIPS 140-2

If you work with the U.S. or Canadian governments and handle sensitive or protected information, your cryptographic modules must be validated to the FIPS 140-2 standard. The Federal Information Security Management Act (FISMA) requires U.S. government agencies, U.S. government contractors, and third parties working for federal agencies to adhere to the FIPS 140-2 standard to protect sensitive data. In fact, any defense contractor handling Controlled Unclassified Information must meet FIPS validation requirements and employ “cryptographic mechanisms” to protect confidentiality. Private sector organizations that comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) must also pass FIPS 140-2 validation.

FIPS 140-2 serves as a benchmark for cryptographic hardware effectiveness. FIPS 140-2 validation means a product meets the rigorous requirements of the U.S. and Canadian governments. However, it isn’t just for governments. Governmental and non-governmental sectors around the globe can require their communications devices to comply with FIPS 140-2 as a best practice cybersecurity benchmark. Because this unified standard provides extraordinary data protection against increasingly sophisticated cyberattacks, it provides a measurable way to harden devices and systems against threats.

Failing to comply with FIPS can result in significant financial and reputational damage. For regulated industries such as government agencies and financial institutions, any significant lapse in compliance can mean these organizations suffer loss of business as well as civil or criminal penalties, fines and government audits.

FIPS 140-2 Use Cases

FIPS 140-2 compliance ensures data security for applications that transmit and utilize sensitive but unclassified (SBU) data. While this standard was initially developed for and adopted by U.S. and Canadian government entities, it has seen adoption in additional industries where cybersecurity and data privacy are critical.

Government Agencies
Government Agencies

FIPS 140-2 validation is required for all government entities, including the FBI, the Department of Defense, U.S. Border Patrol, and other agencies handling Controlled Unclassified Information (CUI) on any device. For example, the International Traffic in Arms Regulation (ITAR) addendum highlights FIPS 140-2 standards required for the transmission or storage of technical data outside the United States.

Government Contractors
Government Contractors

In addition to U.S. government agencies, government contractors must use FIPS 140-2 validated devices to encrypt and protect sensitive data from increasingly sophisticated cyberattacks. Defense contractors, for example, are required to employ FIPS-validated cryptography to protect the confidentiality of Controlled Unclassified Information on all desktop and mobile devices.

Public Safety/Law Enforcement
Public Safety/Law Enforcement

Public safety organizations that send sensitive data are a key use case for use of FIPS 140-2 validated devices. In particular, law enforcement agencies must use FIPS 140-2 in the handling of any data transferred wirelessly. Law enforcement officers and staff access the federal Criminal Justice Information System (CJIS), which involves use of Controlled Unclassified Information.

Financial Institutions
Financial Institutions

The FIPS 140-2 standard applies to regulated industries that collect, store and transfer sensitive data. This includes government financial operations such as the IRS and the Federal Reserve, as well as many private sector banks and financial services. These organizations use FIPS 140-2 requirements to ensure that their data and communications conform to regulated security standards.


Because health practitioners handle sensitive patient data, FIPS 140-2 validation is increasingly required for devices and software used in healthcare and medical systems. Compliance with these standards helps safeguard electronic health records, medical devices, and communication systems from cyberthreats, ensuring patient privacy and the integrity of critical healthcare information.

Other Industries
Other Industries

FIPS 140-2 compliance is a goal for a range of industries where data must be encrypted. The FIPS 140-2 standard provides a benchmark for ensuring that compliance meets specific requirements. While the standard is not mandated outside of government, medical and financial applications, it can be used for data encryption in manufacturing, transportation, utilities, airport control and other use cases.

FIPS 140-2 has 4 increasing security levels

NIST developed four qualitative security levels, summarized below, which are intended to cover a wide range of potential applications and environments

Security Level 1

The cryptographic module must provide essential security functions. Level 1 modules are typically implemented in software and do not require special hardware protections.

Security Level 2

Level 2 adds a requirement for tamper-evident coatings or seals to detect physical tampering or unauthorized access to the module. Level 2 also requires role-based authentication.

Security Level 3

In addition to tamper-evident coatings or seals, Level 3 requires mechanisms to actively respond to physical tampering attempts. Level 3 modules also require a physically robust enclosure.

Security Level 4

In Level 4, the cryptographic module must detect and respond to tampering attempts in real-time, potentially rendering the module inoperable if tampering is detected. Level 4 requires rigorous physical security including protection against environmental attacks.

FIPS 140-3

The evolution of FIPS now includes FIPS 140-3. There are few major technical changes, most significantly a migration from internally developed security standards towards a set of standards developed and maintained by the international body ISO . Digi is committed to transition to FIPS 140-3 as part of a firmware release prior to the expected expiration of FIPS 140-2 in September, 2026.