In September 2017, this (legacy) site will be replaced with the new site you can see at beta.csrc.nist.rip. At that time, links to this legacy site will be automatically redirected to apporpriate links on the new site.

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

Standards

FIPS PUB 140-2 - Effective 15-Nov-2001

Security Requirements for Cryptographic Modules

NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS PUB 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).

FIPS PUB 140-2 Annexes:

Annex A: Approved Security Functions [ PDF 05-10-2017]
Annex B: Approved Protection Profiles [ PDF 12-21-2016]
Annex C: Approved Random Number Generators [ PDF 01-04-2016]
Annex D: Approved Key Establishment Techniques [ PDF 05-10-2017]

Testing Requirements:

Cryptographic module validation testing is performed using the Derived Test Requirements [DTR] for FIPS PUB 140-2, Security Requirements for Cryptographic Modules [ PDF 01/04/2011]. The DTR lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories.

Implementation Guidance:

NIST and CSEC have developed an Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [ PDF 08-07-2017] document for cryptographic module users, vendors and testing laboratories. This is intended to provide clarifications of CMVP programmatic guidance, FIPS 140-2, FIPS 140-2 Derived Test Requirements, testing guidance, and guidance related to the implementation of Approved or non-Approved security functions.

Validation List:

NIST maintains the FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List of all validated FIPS 140-1 and FIPS 140-2 cryptographic modules. An alphabetical list of FIPS 140-1 and FIPS 140-2 vendors (vendors with validated cryptographic modules) is also available along with the underlying data base which the validation listing are generated from. The posted validation listing represents the official valdiation information.

Other Information:

  • FIPS PUB 140-2 was signed on May 25, 2001 and became effective November 15, 2001 when the Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules was published.
  • The CMVP accepted test reports from CST laboratories against either FIPS 140-1 or FIPS 140-2 and the applicable DTR from November 15, 2001 to May 25, 2002 when the transition period ended.
  • After May 25, 2002, the CMVP will only accept test reports against FIPS 140-2.
  • All previous validations against FIPS 140-1 WILL STILL BE RECOGNIZED.

    • FIPS PUB 140-2 Page v, Implementation Schedule: "Agencies may retain and use FIPS 140-1 validated products that have been purchased before the end of the transition period." Clarification: Agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002.
  • Special Publication 800-29: A Comparison of the Security Requirements in Cryptographic Modules in FIPS 140-1 and FIPS 140-2

  • Diagram that maps the general flow of the CMVP FIPS 140-2 testing process.


Back to Top

FIPS PUB 140-1 - Transition Ended 25-May-2002

Security Requirements for Cryptographic Modules

NVLAP accredited Cryptographic Module Testing (CMT) laboratories perform validation testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS PUB 140-1, Security Requirements for Cryptographic Modules, [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module Within most areas, a cryptographic module receives a security level rating (1-4, from lowest to highest), depending on what requirements are met. For other areas that do not provide for different levels of security, a cryptographic module receives a rating that reflects fulfillment of all of the requirements for that area.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).

Testing Requirements:

Cryptographic module validation testing is performed using the Derived Test Requirements for FIPS PUB 140-1 [ PDF ] and Derived Test Requirements for FIPS PUB 140-1 APPENDIX A, A Cryptographic Module Security Policy [ PDF ]. It lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CMT accredited laboratories.

Implementation Guidance:

NIST and CSEC have developed an Implementation Guidance for FIPS PUB 140-1 and the Cryptographic Module Validation Program [ PDF 01-10-2002] document for cryptographic module users, vendors and testing laboratories. This is intended to provide clarifications of CMVP programmatic guidance, FIPS 140-1, FIPS 140-1 Derived Test Requirements, testing guidance, and guidance related to the implementation of Approved or non-Approved security functions.

Validation List:

NIST maintains the FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List of all validated FIPS 140-1 and FIPS 140-2 implementations. An alphabetical list of FIPS 140-1 and FIPS 140-2 vendors (vendors with validated cryptographic modules) is also available along with the underlying data base which the validation listing are generated from. The posted validation listing represents the official valdiation information.

Other Information:

  • Diagram that maps the general flow of the CMVP FIPS 140-1 testing process


Back to Top

International Standards

ISO/IEC 19790 Information technology - Security techniques - Security requirements for cryptographic modules

ISO/IEC 19790 1st Edition was published 2006-03-01

ISO/IEC 19790 2nd Edition was published 2012-08-15

It was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 19790 1st Edition was derived from NIST Federal Information Processing Standard (FIPS) PUB 140-2, Security Requirements for Cryptographic Modules.

The CMVP does not validate cryptographic modules tested for conformance to ISO/IEC 19790. The CMVP is studying the adoption of this International Standard as the revision of FIPS 140-2.

Copies of ISO/IEC 19790 may be obtained at www.iso.org or www.ansi.org

ISO/IEC 24759 Information technology - Security techniques - Test requirements for cryptographic modules

ISO/IEC 24759 1st Edition was published 2008-07-01.

ISO/IEC 24759 2nd Edition was published 2014-01-31.

It was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 24759 1st Edition was derived from NIST Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules.

Copies of ISO/IEC 24759 may be obtained at www.iso.org or www.ansi.org