Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

CMVP FIPS 140-2 Standards and Documents

FIPS 140-2 (ending Sept-22-2021)

Security Requirements for Cryptographic Modules

NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).

FIPS 140-2 Annexes:

Annex A: Approved Security Functions [ PDF 10-12-2021]
Annex B: Approved Protection Profiles [ PDF 06-10-2019]
Annex C: Approved Random Number Generators [ PDF 10-12-2021]
Annex D: Approved Key Establishment Techniques [ PDF 10-12-2021]

Testing Requirements:

Cryptographic module validation testing is performed using the Derived Test Requirements [DTR] for FIPS PUB 140-2, Security Requirements for Cryptographic Modules [PDF]. The DTR lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories.

Implementation Guidance:

NIST and CSE have developed an Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [PDF] document for cryptographic module users, vendors and testing laboratories. This is intended to provide clarifications of CMVP programmatic guidance, FIPS 140-2, FIPS 140-2 Derived Test Requirements, testing guidance, and guidance related to the implementation of Approved or non-Approved security functions.

Other Information:

  • FIPS 140-2 was signed on May 25, 2001 and became effective November 15, 2001 when Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules was published.
  • The CMVP accepted test reports from CST laboratories against either FIPS 140-1 or FIPS 140-2 and the applicable DTR from November 15, 2001 to May 25, 2002 when the transition period ended.
  • Since May 25, 2002, the CMVP has only accepted test reports against FIPS 140-2.

Back To Top

Created October 11, 2016, Updated July 10, 2024