On July 17, 1995, the National Institute of Standard and Technology (NIST), Computer Systems Laboratory (CSL), established the Cryptographic Module Validation (CMV) Program which validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-1, Security Requirements for Cryptographic Modules. Under this program, vendors of cryptographic modules use independent, accredited testing laboratories to have their modules tested. The program was jointly developed by NIST and the Communications Security Establishment of the government of Canada. Products validated as conforming to FIPS 140-1 will be accepted for use by the federal agencies of both countries for the protection of sensitive, unclassified information. The goal of the CMV Program is to provide federal agencies with a security metric to use in procuring equipment containing cryptographic modules. The results of the independent testing, by accredited laboratories, provide this metric. Federal agencies can choose products from the FIPS 140-1 Validated Products List and know that their FIPS 140-1 requirements have been met.

This bulletin discusses when and how FIPS 140-1 should be used and examines the benefits that agencies can derive in using the standard. While the bulletin highlights several critical issues that federal agencies need to consider, agencies should rely on FIPS 140-1 for precise applicability statements, requirements, and policy for use.