Module Validation Lists
The CMVP list(s) of Validated Cryptographic
Modules provide the official validation information for each module.
All questions regarding the implementation
and/or use of any module located on the following lists should first
be directed to the appropriate VENDOR point of contact (listed for each
entry). Thank you.
The FIPS 140-1 and FIPS 140-2 validation lists contain those cryptographic
modules that have been tested and validated under the Cryptographic
Module Validation Program as meeting requirements for FIPS PUB 140-1
and FIPS PUB 140-2. A validation certificate has been issued for each
of the modules listed. A single validation certificate may list multiple
modules. A single validation entry may list multiple versions of the
validated module. The validation entry is the official validation information.
The provided image of the original validation certificate is for reference
only. Updates may have occurred since the printing of the original certificate
and will only appear on the validation entry. This list is typically
updated either the day of or day after a certificate is issued.
If a validation certificate is marked not available,
the module is no longer available for procurement from the vendor identified
on the certificate, but may still be retained and used to demonstrate
compliance to FIPS 140-1 or FIPS 140-2.
If a validation certificate is marked as revoked,
the module validation is no longer valid and may not be referenced to
demonstrate compliance to FIPS 140-1 or FIPS 140-2.
Users in Federal Government organizations are advised to refer to the
FIPS 140-1 and FIPS 140-2 validation list. A product or
implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability
requirements by simply implementing an Approved security function and
acquiring algorithm validation certificates. Only modules tested and
validated to FIPS 140-1 or FIPS 140-2 meet the applicability requirements
for cryptographic modules to protect sensitive information.
- FIPS 140-1 and FIPS 140-2 Vendor
and FIPS 140-2 Vendor List
An alphabetical list of vendors who have implemented validated cryptographic
modules. The list includes links to the individual certificates issued.
- FIPS 140-1 and FIPS 140-2 Cryptographic Module Validation
The validation listings provide the detailed module information including
the algorithm implementation references which appear on the CAVP
algorithm validation lists, Security Policies, original certificate
images or reference to the consolidated validation lists and Vendor
Product Links if provided.
CMVP Validation Access Database (ZIP)
The CMVP Validation Access Database can be used
to develop complex search queries, provides detailed information
on entry revisions and a feature to print a reference certificate
image for any validation entry.
FIPS 140-1 and FIPS 140-2 Validation
Last updated 11/30/2016
Invalid entries will be directed to the most recently
issued validation certificate.
Lists grouped by year, with validation certificate number ranges:
- It is important to note that the items
on this list are cryptographic modules. A module may either
be an embedded component of a product or application,
or a complete product in-and-of-itself. If
the cryptographic module is a component of a larger product or application,
one should contact the product or application vendor in order to determine
what products utilize an embedded validated cryptographic module.
There are inevitably a larger number of security products available
which use a validated cryptographic module, than the number of modules
which are found in this list. In addition, it is possible
that other vendors, who are not found in this list, might incorporate
a validated cryptographic module from this list into their own products.
Vendors are strongly encouraged to make
use of the CMVP
Vendor Product Link which is available for use on the module
- When selecting a module from a vendor,
verify that the application or product that is being offered is either
a validated cryptographic module itself (e.g. VPN, SmartCard, etc)
or the application or product uses an embedded validated cryptographic
module (toolkit, etc). Ask the vendor to supply a signed letter stating
their application, product or module is a validated module or incorporates
a validated module, the module provides all the cryptographic services
in the solution, and reference the modules validation certificate
number. The certificate number will provide reference to the above
CMVP lists of validated modules. Each entry will state what version/part
number/release is validated, and the operational environment (if applicable)
the module has been validated. The information on the CMVP validation
entry can be checked against the information provided by the vendor
and verified that they agree. If they do not agree, the vendor is
not offering a validated solution. If a software or firmware module,
there is guidance on how the module can be ported to similar operational
environments and maintain the validation. This is found in FIPS
140-2 IG G.5.
- Module descriptions were provided by the vendors, and their contents
have not been verified for accuracy by NIST or CSE. The descriptions
do not imply endorsement by the U.S. or Canadian Governments or NIST.
Additionally, the descriptions may not necessarily reflect the capabilities
of the modules when operated in the FIPS-approved mode. The algorithms,
protocols, and cryptographic functions listed as "other algorithms"
(non-FIPS-approved algorithms) have not been validated or tested through
Use of FIPS 140-2 Logo and Phrases
What are the guidelines for the use of the FIPS 140-1 and
The phrases FIPS 140-1 Validated and FIPS 140-2 Validated
and the FIPS 140-1 and 140-2 Logos are intended for use in association
with cryptographic modules validated by the National Institute of Standards
and Technology (NIST) and the Communications Security Establishment (CSE) of
Canada as complying with FIPS 140-1 or FIPS 140-2, Security
Requirements for Cryptographic Modules.
Vendors of validated cryptographic modules or vendors of products that
embed validated cryptographic modules are encouraged to use the phrases
and logo provided that they agree to the following and returning the
140-1 Form or FIPS
140-2 Logo Form:
- The phrases FIPS 140-1 Validated and FIPS 140-2 Validated
and the FIPS 140-1 and FIPS 140-2 Logos are Certification Marks of
NIST, which retains exclusive rights to their use.
- NIST reserves the right to control the quality of the use of the
phrases FIPS 140-1 Validated and FIPS 140-2 Validated
and the logos themselves.
- Permission for advertising FIPS 140-1 and FIPS 140-2 validation
and use of the logos are conditional on and limited to those cryptographic
modules validated by NIST and CSEC as complying with FIPS 140-1 or
- A cryptographic module may either be a component of a product, or
a standalone product. Use of the FIPS 140-1 and FIPS 140-2 Logos on
product reports, letterhead, brochures, marketing material, and product
packaging must be accompanied by the following: "TM: A Certification
Mark of NIST, which does not imply product endorsement by NIST, the
U.S. or Canadian Governments." If the cryptographic module is
an embedded component of a product, the phrase FIPS 140-1 Inside
or FIPS 140-2 Inside must accompany the logo.
- Permission for the use of the phrases FIPS 140-1 Validated
and FIPS 140-2 Validated and the logos may be revoked at the
discretion of NIST.
- Permission to use the phrases FIPS 140-1 Validated or FIPS
140-2 Validated or the FIPS 140-1 and FIPS 140-2 Logos in no way
constitute or imply product endorsement by NIST or CSEC.
How can electronic images of the logos be obtained from NIST?
Electronic copies of the logo are available from NIST once a signed
logo form has been received. This form must be filled out and signed
and returned to NIST whenever the NIST Certificate Marks are used in
reference to a validated module. Multiple certificate numbers may be
included on a single form. Submission of the form by a vendor for one
certificate does not allow use of the logos for other certificates that
may have been issued. Only one form need be return per vendor in reference
to the use of a single validated module. For example, if a product vendor
embeds a validated module within many of their products, only one form
need be signed and returned by that vendor. If many vendors are embedding
the same validated module in products, each vendor must return a signed
The cryptographic module is not a product. Can I use the FIPS logo
on product literature?
Yes, as stated above in bullet 4, NIST allows the use of the FIPS logo
when the validation module is embedded into a product or application.
However, along with the TM annotation, the phrase "FIPS 140-1
Inside" or "FIPS 140-2 Inside" shall be included.
There is no assurance that a product is correctly utilizing an embedded
validated cryptographic module - this is outside the scope of the FIPS
140-1 or FIPS 140-2 validation.
What process does the CMVP follow if informed by 3rd parties regarding
the unapproved use of trade marked logos and phrases?
The CMVP will review the information provided and contact the parties
that may be using the NIST certificate marks without consent. If consent
was not given, the CMVP will ask that the use of the certification marks
be discontinued. If not, the CMVP will pass the information to the NIST
legal counsel for resolution and follow up.
The CMVP list(s)
of Validated Cryptographic Modules provide the official validation information
for each module. The CMVP no longer issues individual module validation
Consolidated Validation Certificates
Last updated 11/07/2016
The FIPS 140-2 Consolidated Validation Certificates provide traceability
to the NIST and CSEC validation signatories. Each consolidated validation
certificate includes references to multiple individual module validations.
Back to Top