NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Standards

FIPS PUB 140-2

Security Requirements for Cryptographic Modules

NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS PUB 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).

FIPS PUB 140-2 Annexes:

Annex A: Approved Security Functions [ PDF Draft 10-22-2009]
Annex B: Approved Protection Profiles [ PDF Draft 06-14-2007]
Annex C: Approved Random Number Generators [ PDF Draft 07-21-2009]
Annex D: Approved Key Establishment Techniques [ PDF Draft 10-08-2009]

Testing Requirements:

Cryptographic module validation testing is performed using the Derived Test Requirements [DTR] for FIPS PUB 140-2, Security Requirements for Cryptographic Modules [ PDF Draft 03/24/2004]. The DTR lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories.

Implementation Guidance:

NIST and CSEC have developed an Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [ PDF 10-22-2009] document for cryptographic module vendors and testing laboratories. This is intended to provide clarifications of the testing process, FIPS 140-2, and the FIPS 140-2 Derived Test Requirements.

Validation List:

NIST maintains the FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List of all validated FIPS 140-1 and FIPS 140-2 cryptographic modules. An alphabetical list of FIPS 140-1 and FIPS 140-2 vendors (vendors with validated cryptographic modules) is also available.

Other Information:

  • FIPS PUB 140-2 was signed on May 25, 2001. NIST and CSEC have completed the FIPS 140-2 Derived Test Requirements document. CST laboratories may begin testing cryptographic modules against the FIPS 140-2 DTR and submit validation reports to NIST/CSEC. The FIPS 140-2 DTR will remain draft for a period of time to allow the CST labs to use the document and provide comments to NIST/CSEC. The FIPS 140-2 DTR will be updated as appropriate.

    NIST and CSEC will accept validation reports from CST laboratories against EITHER FIPS 140-1 or FIPS 140-2 and the applicable DTR from November 15, 2001 to May 25, 2002. After May 25, 2002, NIST and CSEC will only accept validation reports for cryptographic modules against FIPS 140-2 and the FIPS 140-2 DTR. After May 25, 2002, all previous validations against FIPS 140-1 WILL STILL BE RECOGNIZED.

  • FIPS PUB 140-2 Page v, Implementation Schedule: "Agencies may retain and use FIPS 140-1 validated products that have been purchased before the end of the transition period." Clarification: Agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002.

  • Special Publication 800-29: A Comparison of the Security Requirements in Cryptographic Modules in FIPS 140-1 and FIPS 140-2

  • Diagram that maps the general flow of the CMVP FIPS 140-2 testing process.



Back to Top

FIPS PUB 140-1

Security Requirements for Cryptographic Modules

NVLAP accredited Cryptographic and Security Testing (CST) laboratories perform validation testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS PUB 140-1, Security Requirements for Cryptographic Modules, [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module Within most areas, a cryptographic module receives a security level rating (1-4, from lowest to highest), depending on what requirements are met. For other areas that do not provide for different levels of security, a cryptographic module receives a rating that reflects fulfillment of all of the requirements for that area.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).

Testing Requirements:

Cryptographic module validation testing is performed using the Derived Test Requirements for FIPS PUB 140-1 [ PDF ] and Derived Test Requirements for FIPS PUB 140-1 APPENDIX A, A Cryptographic Module Security Policy [ PDF ]. It lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories.

Implementation Guidance:

NIST and CSEC have developed an Implementation Guidance for FIPS PUB 140-1 and the Cryptographic Module Validation Program [ PDF 01-10-2002] document for cryptographic module vendors and testing laboratories. This is intended to provide clarifications of the testing process, FIPS 140-1, and the FIPS 140-1 Derived Test Requirements.

Validation List:

NIST maintains the FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List of all validated FIPS 140-1 and FIPS 140-2 implementations. An alphabetical list of FIPS 140-1 and FIPS 140-2 vendors (vendors with validated cryptographic modules) is also available.

Other Information:

  • Diagram that maps the general flow of the CMVP FIPS 140-1 testing process