Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

This is an archive
(replace .gov by .rip)

Cryptographic Module Validation Program CMVP

Use of FIPS 140-2 Logo and Phrases

What are the guidelines for the use of the FIPS 140-1 and 140-2 logos?

 

The phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the FIPS 140-1 and 140-2 Logos are intended for use in association with cryptographic modules validated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of Canada as complying with FIPS 140-1 or FIPS 140-2, Security Requirements for Cryptographic Modules.

Vendors of validated cryptographic modules or vendors of products that embed validated cryptographic modules are encouraged to use the phrases and logo provided that they agree to the following and returning the signed FIPS 140-1 Form or FIPS 140-2 Logo Form:

  1. The phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the FIPS 140-1 and FIPS 140-2 Logos are Certification Marks of NIST, which retains exclusive rights to their use.
  2. NIST reserves the right to control the quality of the use of the phrases FIPS 140-1 Validated and FIPS 140-2 Validated and the logos themselves.
  3. Permission for advertising FIPS 140-1 and FIPS 140-2 validation and use of the logos are conditional on and limited to those cryptographic modules validated by NIST and CSEC as complying with FIPS 140-1 or FIPS 140-2.
  4. A cryptographic module may either be a component of a product, or a standalone product. Use of the FIPS 140-1 and FIPS 140-2 Logos on product reports, letterhead, brochures, marketing material, and product packaging must be accompanied by the following: "TM: A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments." If the cryptographic module is an embedded component of a product, the phrase FIPS 140-1 Inside or FIPS 140-2 Insidemust accompany the logo.
  5. Permission for the use of the phrases FIPS 140-1 Validated and FIPS 140-2Validated and the logos may be revoked at the discretion of NIST.
  6. Permission to use the phrases FIPS 140-1 Validated or FIPS 140-2 Validated or the FIPS 140-1 and FIPS 140-2 Logos in no way constitute or imply product endorsement by NIST or CSEC.


How can electronic images of the logos be obtained from NIST?

Electronic copies of the logo are available from NIST once a signed logo form has been received. This form must be filled out and signed and returned to NIST whenever the NIST Certificate Marks are used in reference to a validated module. Multiple certificate numbers may be included on a single form. Submission of the form by a vendor for one certificate does not allow use of the logos for other certificates that may have been issued. Only one form need be return per vendor in reference to the use of a single validated module. For example, if a product vendor embeds a validated module within many of their products, only one form need be signed and returned by that vendor. If many vendors are embedding the same validated module in products, each vendor must return a signed form.


The cryptographic module is not a product. Can I use the FIPS logo on product literature?

Yes, as stated above in bullet 4, NIST allows the use of the FIPS logo when the validation module is embedded into a product or application. However, along with the TM annotation, the phrase "FIPS 140-1 Inside" or "FIPS 140-2 Inside" shall be included. There is no assurance that a product is correctly utilizing an embedded validated cryptographic module - this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.


What process does the CMVP follow if informed by 3rd parties regarding the unapproved use of trademarked logos and phrases?

The CMVP will review the information provided and contact the parties that may be using the NIST certificate marks without consent. If consent was not given, the CMVP will ask that the use of the certification marks be discontinued. If not, the CMVP will pass the information to the NIST legal counsel for resolution and follow up.

Created October 11, 2016, Updated August 05, 2020