The phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the FIPS 140-1 and 140-2 Logos are intended for use in association with cryptographic modules validated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of Canada as complying with FIPS 140-1 or FIPS 140-2, Security Requirements for Cryptographic Modules.
Vendors of validated cryptographic modules or vendors of products that embed validated cryptographic modules are encouraged to use the phrases and logo provided that they agree to the following and returning the signed FIPS 140-1 Form or FIPS 140-2 Logo Form:
Electronic copies of the logo are available from NIST once a signed logo form has been received. This form must be filled out and signed and returned to NIST whenever the NIST Certificate Marks are used in reference to a validated module. Multiple certificate numbers may be included on a single form. Submission of the form by a vendor for one certificate does not allow use of the logos for other certificates that may have been issued. Only one form need be return per vendor in reference to the use of a single validated module. For example, if a product vendor embeds a validated module within many of their products, only one form need be signed and returned by that vendor. If many vendors are embedding the same validated module in products, each vendor must return a signed form.
Yes, as stated above in bullet 4, NIST allows the use of the FIPS logo when the validation module is embedded into a product or application. However, along with the TM annotation, the phrase "FIPS 140-1 Inside" or "FIPS 140-2 Inside" shall be included. There is no assurance that a product is correctly utilizing an embedded validated cryptographic module - this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.
The CMVP will review the information provided and contact the parties that may be using the NIST certificate marks without consent. If consent was not given, the CMVP will ask that the use of the certification marks be discontinued. If not, the CMVP will pass the information to the NIST legal counsel for resolution and follow up.
Security and Privacy: cryptography, testing & validation
Technologies: hardware, software & firmware