In the U.S., federal agencies looking to secure sensitive but unclassified data have to buy encryption-based products that have passed the so-called "Federal Information Processing Standard (FIPS) 140-2" certification tests. Although encryption is subject to import and export guidelines, there's another type of government regulation that impacts what customers buy. Some industrialized nations choose encryption standards and require testing of encryption products before government buyers can purchase them.\u00a0In the U.S., federal agencies looking to secure sensitive but unclassified data have to buy encryption-based products that have passed the so-called "Federal Information Processing Standard (FIPS) 140-2" certification tests.Seven test labs, overseen by the Commerce Department's National Institute of Standards and Technology (NIST), examine products to assure that crypto based on the\u00a0Advanced Encryption Standard, Triple-DES, Skipjack, RSA, or the Digital Signature Algorithm is correctly implemented in products.\u00a0Randy Easter, director of NIST's cryptographic module program, says 50% of the products that have passed through testing had flaws that got corrected in the process.FIPS 140-2 certification is gaining international appeal, too. The British government is now requiring FIPS 140-2 validation in testing for government purchase.Testing can be expensive. According to Roy Pereira, product manager at encryption vendor Certicom, it took hundreds of thousands of dollars and more than a year to get its Security Builder GSE tool kit through FIPS 140-2 validation.Some companies, including EncryptX, acknowledge they can't sell to U.S. agencies because they haven't gone through FIPS 140-2 testing. Easter says government buyers should require documentation of FIPS 140-2 approval when purchasing products. Back to Management Strategies: "Encryption restrictions"