Federation - Protection of Assertion Signing and Encryption Keys as Per FIPS 140 Level 1 Where Required, v1.0

Identity Providers must protect their assertion signing and encryption keys appropriately. This requires the use of FIPS 140 Level 1 for some AALs.

Assessment Step

FIPS 140 (FIPS140)
Does the IDP use FIPS 140 level 1 if required? The AAL and operator combine to determine if FIPS 140 is required:
  • Government-operated IDP at AAL2 or AAL3 with FIPS 140 Level 1
  • Non-government IDP at AAL3 with FIPS 140 Level 1
  • Government-operated IDP at AAL1 only (no FIPS 140 requirement)
  • Non-government IDP at AAL1 or AAL2 (no FIPS 140 requirement)
Provide evidence (e.g. policies, operational detail) that the IdP employs the use of FIPS 140 Level 1 if required.

Conformance Criteria (1)

Government-operated IdPs asserting authentication at AAL2 and all IdPs asserting authentication at AAL3 SHALL protect keys used for signing or encrypting those assertions with mechanisms validated at FIPS 140 Level 1 or higher.
NIST SP 800-63C
Section 4.1, Paragraph 2