There are many reasons why a product requires FIPS 140-2 validation, and the compelling one is regulatory. FIPS 140-2 evaluation is required for sale of products implementing cryptography to the Federal Government. If you don't have a certificate or at least demonstrate a commitment to obtaining one, then there is a good chance that you won't be able to sell your product in this key market.
In addition, the financial community increasingly specifies FIPS 140-2 as a procurement requirement and is beginning to embrace it, wholly or in part in its own standards.
Other compelling reasons to obtain certification are that FIPS 140-2 can be viewed as a quality mark. If you have FIPS 140-2 and your competition does not, then you may have a competitive advantage.
Documentation provided must include the following: Non-Proprietary Security Policy; Finite State Machine; Master Components List; Software/Firmware Module Descriptions; Source code listing for all software and firmware within cryptographic boundary; Description of module roles and services; Description of key management lifecycle; Algorithm Conformance Certificates; and FCC certificates for EMI/EMC compliance.
Many of these documents are probably produced during the normal product development lifecycle. However the Finite State Machine and Security Policy may be new to you. The Security Policy must be a separate releasable document that is retained by NIST, but all other documentation may be proprietary and submitted only to the testing laboratory.
The different levels within the standard provide different levels of security, and in the higher levels, have different documentation requirements. Each level successfively builds on the previous.
FIPS 140-2 was signed on 22nd June 2001. The plan is to revise the standard every five years, and the third revision of FIPS 140-3 was announced on 12th January 2005. However, the publication of the draft revisions and its approval has not followed the original timeline. With the delay to its publication, an ISO standard (ISO/IEC 19790:2012) has been developed based around the draft of FIPS 140-3.
The current plan within NIST is to completely skip FIPS 140-3 and move to FIPS 140-4. This will essentially be a wrapper around the ISO standard. Currently there is no schedule published for the adoption of FIPS 140-4.
Here is a link to the NIST website for a copy of the FIPS 140-2 standard: latest copy of FIPS 140-2 (.pdf)
In the absence of a successor to FIPS 140-2, the criteria continue to evolve through additions to the CMVP's implementation guidance and Special Publications. A number of algorithms were depricated at the end of 2010, and there was also an increase in the minimum key length required for a number of algorithms, for example. These changes were announced in SP 800-131 A.
The validation landscape is constantly changing. To see how we can help you to negotiate it, please email DL-SYMC-FIPS-Support@symantec.com.
Please reference the below link for guidance in replacing/migration from SHA-1 to SHA-2 certificates: http://www.symantec.com/page.jsp?id=sha2-transition
Return to FIPS 140-2 Product Status
Return to the Customer Trust Portal