Module Validation Lists

The FIPS 140-1 and FIPS 140-2 validation lists contain those cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS PUB 140-1 and FIPS PUB 140-2. A validation certificate has been issued for each of the modules listed. A single validation certificate may list multiple modules. A single validation entry may list multiple versions of the validated module. The validation entry is the official validation information. The provided image of the original validation certificate is for reference only. Updates may have occurred since the printing of the original certificate and will only appear on the validation entry. This list is typically updated either the day of or day after a certificate is issued.

If a validation certificate is marked not available, the module is no longer available for procurement from the vendor identified on the certificate, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Users in Federal Government organizations are advised to refer to the FIPS 140-1 and FIPS 140-2 validation list. A product or implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability requirements by simply implementing an Approved security function and acquiring algorithm validation certificates. Only modules tested and validated to FIPS 140-1 or FIPS 140-2 meet the applicability requirements for cryptographic modules to protect sensitive information.

• FIPS 140-1 and FIPS 140-2 Vendor List
  FIPS 140-1 and FIPS 140-2 Vendor List
  An alphabetical list of vendors who have implemented validated cryptographic modules. The list includes links to the individual certificates issued.

• FIPS 140-1 and FIPS 140-2 Cryptographic Module Validation Lists
  The validation listings provide the detailed module information including the algorithm implementation references which appear on the CAVP algorithm validation lists, Security Policies, original certificate images or reference to the consolidated validation lists and Vendor Product Links if provided.

  Download CMVP Validation Access Database (ZIP)

  The CMVP Validation Access Database can be used to develop complex search queries, provides detailed information on entry revisions and a feature to print a reference certificate image for any validation entry.

• It is important to note that the items on this list are cryptographic modules. A module may either be an embedded component of a product or application, or a complete product in-and-of-itself. If the cryptographic module is a component of a larger product or application, one should contact the product or application vendor in order to determine what products utilize an embedded validated cryptographic module. There are inevitably a larger number of security products available which use a validated cryptographic module, than the number of modules which are found in this list. In addition, it is possible that other vendors, who are not found in this list, might incorporate a validated cryptographic module from this list into their own products.
  Vendors are strongly encouraged to make use of the CMVP Vendor Product Link which is available for use on the module validation entry.
• When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution, and reference the modules validation certificate number. The certificate number will provide reference to the above CMVP lists of validated modules. Each entry will state what version/part number/release is validated, and the operational environment (if applicable) the module has been validated. The information on the CMVP validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution. If a software or firmware module, there is guidance on how the module can be ported to similar operational environments and maintain the validation. This is found in FIPS 140-2 IG G.5.
• Module descriptions were provided by the vendors, and their contents have not been verified for accuracy by NIST or CSE. The descriptions do not imply endorsement by the U.S. or Canadian Governments or NIST. Additionally, the descriptions may not necessarily reflect the capabilities of the modules when operated in the FIPS-approved mode. The algorithms, protocols, and cryptographic functions listed as "other algorithms" (non-FIPS-approved algorithms) have not been validated or tested through the CMVP.

Use of FIPS 140-2 Logo and Phrases

What are the guidelines for the use of the FIPS 140-1 and 140-2 Logos?

The phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the FIPS 140-1 and 140-2 Logos are intended for use in association with cryptographic modules validated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of
Canada as complying with FIPS 140-1 or FIPS 140-2, Security Requirements for Cryptographic Modules.

Vendors of validated cryptographic modules or vendors of products that embed validated cryptographic modules are encouraged to use the phrases and logo provided that they agree to the following and returning the signed FIPS 140-1 Form or FIPS 140-2 Logo Form:

1. The phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the FIPS 140-1 and FIPS 140-2 Logos are Certification Marks of NIST, which retains exclusive rights to their use.
2. NIST reserves the right to control the quality of the use of the phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the logos themselves.
3. Permission for advertising FIPS 140-1 and FIPS 140-2 validation and use of the logos are conditional on and limited to those cryptographic modules validated by NIST and CSEC as complying with FIPS 140-1 or FIPS 140-2.
4. A cryptographic module may either be a component of a product, or a standalone product. Use of the FIPS 140-1 and FIPS 140-2 Logos on product reports, letterhead, brochures, marketing material, and product packaging must be accompanied by the following: "TM: A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments." If the cryptographic module is an embedded component of a product, the phrase FIPS 140-1 Inside or FIPS 140-2 Inside must accompany the logo.
5. Permission for the use of the phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the logos may be revoked at the discretion of NIST.
6. Permission to use the phrases FIPS 140-1 Validated or FIPS 140-2 Validated or the FIPS 140-1 and FIPS 140-2 Logos in no way constitute or imply product endorsement by NIST or CSEC.

How can electronic images of the logos be obtained from NIST?

Electronic copies of the logo are available from NIST once a signed logo form has been received. This form must be filled out and signed and returned to NIST whenever the NIST Certificate Marks are used in reference to a validated module. Multiple certificate numbers may be included on a single form. Submission of the form by a vendor for one certificate does not allow use of the logos for other certificates that may have been issued. Only one form need be return per vendor in reference to the use of a single validated module. For example, if a product vendor embeds a validated module within many of their products, only one form need be signed and returned by that vendor. If many vendors are embedding the same validated module in products, each vendor must return a signed form.

The cryptographic module is not a product. Can I use the FIPS logo on product literature?

Yes, as stated above in bullet 4, NIST allows the use of the FIPS logo when the validation module is embedded into a product or application. However, along with the TM annotation, the phrase "FIPS 140-1 Inside" or "FIPS 140-2 Inside" shall be included. There is no assurance that a product is correctly utilizing an embedded validated cryptographic module - this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.

What process does the CMVP follow if informed by 3rd parties regarding the unapproved use of trade marked logos and phrases?

The CMVP will review the information provided and contact the parties that may be using the NIST certificate marks without consent. If consent was not given, the CMVP will ask that the use of the certification marks be discontinued. If not, the CMVP will pass the information to the NIST legal counsel for resolution and follow up.

Back to Top