[2/27/24, 11:00 AM EST] CSRC has been experiencing technical issues. If you are unable to access a CSRC page or resource, or get a 503 error, please try reloading the page several times--it may help to wait a few minutes before trying again. We apologize for the inconvenience, and hope to have a solution in place next week.
The validated modules search provides access to the official validation information of all cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS 140-1, FIPS 140-2, and FIPS 140-3. The search results list all issued validation certificates that meet the supplied search criteria and provide a link to view more detailed information about each certificate. The Certificate Detail listing provides the detailed module information including algorithm implementation references to the CAVP algorithm validation, Security Policies, original certificate images or reference to the consolidated validation lists, and vendor product links if provided.
If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to the 140 standards.
If a validation certificate is marked as historical, Federal Agencies should not include these in new systems but can be procured for legacy systems. This does not mean that the overall FIPS-140 certificates for these modules have been revoked, rather it indicates that the certificates and the documentation posted with them are either more than 5 years old, or were moved to the Historical list because of programmatic transitions. In these cases, the certificates have not been updated to reflect latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. In some cases, a module may use functionality from another module (bound module) that will be referenced in the binding module's certificate. The movement to the Historical list of the binding module will coincide with the sunset date of the bound module, regardless of its own sunset date. Agencies may make a risk determination on whether to continue using the modules on the Historical list based on their own assessment of where and how the module is used.
It is important to note that validation certificates are issued for cryptographic modules. A module may either be an embedded component of a product or application, or a complete product in and of itself. If the cryptographic module is a component of a larger product or application, one should contact the product or application vendor in order to determine what products utilize an embedded validated cryptographic module. There are inevitably a larger number of security products available which use a validated cryptographic module than the number of modules which are found in this list. In addition, it is possible that other vendors, who are not found in this list, might incorporate a validated cryptographic module from this list into their own products.
Module descriptions were provided by the vendors, and their contents have not been verified for accuracy by NIST or CSE. The descriptions do not imply endorsement by the U.S. or Canadian Governments or NIST. Additionally, the descriptions may not necessarily reflect the capabilities of the modules when operated in the FIPS-approved mode. The algorithms, protocols, and cryptographic functions listed as "other algorithms" (non-FIPS-approved algorithms) have not been validated or tested through the CMVP.
Users in Federal Government organizations are advised to utilize the validated module search to aid in product acquisition. Only modules tested and validated to FIPS 140-2 or FIPS 140-3 meet the requirements for cryptographic modules to protect sensitive information - a product or implementation does not meet the FIPS 140-2 or FIPS 140-3 requirements by simply implementing an approved security function and acquiring algorithm validation certificates.
When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution, and reference the modules validation certificate number. The information on the CMVP validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution. Each entry will state what version/part number/release is validated, and the operational environment (if applicable) the module has been validated. If the validated module is a software or firmware module, guidance on how the module can be ported to similar operational environments while maintaining the validation. Additional details can be found in FIPS 140 guidance.