Module Validation Lists
All questions regarding the implementation
and/or use of any module located on the following lists should first
be directed to the appropriate VENDOR point of contact (listed for each
entry). Thank you.
The FIPS 140-1 and FIPS 140-2 validation lists contain those cryptographic
modules that have been tested and validated under the Cryptographic
Module Validation Program as meeting requirements for FIPS PUB 140-1
and FIPS PUB 140-2. A validation certificate has been issued for each
of the modules listed. A single validation certificate may list multiple
modules. A single validation entry may list multiple versions of the
validated module. The validation entry is the official validation information.
The provided image of the original validation certificate is for reference
only. Updates may have occurred since the printing of the original certificate
and will only appear on the validation entry. This list is typically
updated either the day of or day after a certificate is issued.
If a validation certificate is marked not available,
the module is no longer available for procurement from the vendor identified
on the certificate, but may still be retained and used to demonstrate
compliance to FIPS 140-1 or FIPS 140-2.
If a validation certificate is marked as revoked,
the module validation is no longer valid and may not be referenced to
demonstrate compliance to FIPS 140-1 or FIPS 140-2.
Users in Federal Government organizations are advised to refer to the
FIPS 140-1 and FIPS 140-2 validation list. A product or
implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability
requirements by simply implementing an Approved security function and
acquiring algorithm validation certificates. Only modules tested and
validated to FIPS 140-1 or FIPS 140-2 meet the applicability requirements
for cryptographic modules to protect sensitive information.
FIPS 140-1 and FIPS 140-2 Validation
Entries
Last updated 09/15/2008
Invalid entries will be directed to the most recently
issued validation certifcate.
Lists grouped by year, with validation certificate number ranges:
- It is important to note that the items
on this list are cryptographic modules. A module may either
be an embedded component of a product or application,
or a complete product in-and-of-itself. If
the cryptographic module is a component of a larger product or application,
one should contact the product or application vendor in order to determine
what products utilize an embedded validated cryptographic module.
There is inevitably a larger number of security products available
which use a validated cryptographic module, than the number of modules
which are found in this list. In addition, it is possible
that other vendors, who are not found in this list, might incorporate
a validated cryptographic module from this list into their own products.
- When selecting a module from a vendor,
verify that the application or product that is being offered is either
a validated cryptographic module itself (e.g. VPN, SmartCard, etc)
or the application or product uses an embedded validated cryptographic
module (toolkit, etc). Ask the vendor to supply a signed letter stating
their application, product or module is a validated module or incorporates
a validated module, the module provides all the cryptographic services
in the solution, and reference the modules validation certificate
number. The certificate number will provide reference to the above
CMVP lists of validated modules. Each entry will state what version/part
number/release is validated, and the operational environment (if applicable)
the module has been validated. The information on the CMVP validation
entry can be checked against the information provided by the vendor
and verified that they agree. If they do not agree, the vendor is
not offering a validated solution. If a software or firmware module,
there is guidance on how the module can be ported to similar operational
environments and maintain the validation. This is found in FIPS
140-2 IG G.5.
- Module descriptions were provided by the vendors, and their contents
have not been verified for accuracy by NIST or CSEC. The descriptions
do not imply endorsement by the U.S. or Canadian Governments or NIST.
Additionally, the descriptions may not necessarily reflect the capabilities
of the modules when operated in the FIPS-approved mode. The algorithms,
protocols, and cryptographic functions listed as "other algorithms"
(non-FIPS-approved algorithms) have not been validated or tested through
the CMVP.
- There are three
additional lists which are included for historical purposes only.
They reflect the various cryptographic implementations which met certain
conditions specified in FIPS 140-1, which provided a transition from
using FS1027 endorsed (and FIPS 140 compliant) implementations to
using FIPS PUB 140-1 validated modules. Those three lists should no
longer be used by agencies and departments to acquire cryptographic
modules.
Back to Top