Module Validation Lists

The FIPS 140-1 and FIPS 140-2 validation lists contain those cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS PUB 140-1 and FIPS PUB 140-2. A validation certificate has been issued for each of the modules listed. A single validation certificate may list multiple modules. A single validation entry may list multiple versions of the validated module. The validation entry is the official validation information. The provided image of the original validation certificate is for reference only. Updates may have occurred since the printing of the original certificate and will only appear on the validation entry. This list is typically updated either the day of or day after a certificate is issued.

If a validation certificate is marked not available, the module is no longer available for procurement from the vendor identified on the certificate, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Users in Federal Government organizations are advised to refer to the FIPS 140-1 and FIPS 140-2 validation list. A product or implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability requirements by simply implementing an Approved security function and acquiring algorithm validation certificates. Only modules tested and validated to FIPS 140-1 or FIPS 140-2 meet the applicability requirements for cryptographic modules to protect sensitive information.

• FIPS 140-1 and FIPS 140-2 Vendor List
  an alphabetical list of vendors who have implemented validated cryptographic modules. The list includes links to the individual certificates issued.

• FIPS 140-1 and FIPS 140-2 Cryptographic Module Validation Lists
  detailed module information, algorithm implementations which appear on the CAVP algorithm validation lists, security policies, original certificate images and Vendor Product Links.

  Download Validation List Access Database (ZIP)

• It is important to note that the items on this list are cryptographic modules. A module may either be an embedded component of a product or application, or a complete product in-and-of-itself. If the cryptographic module is a component of a larger product or application, one should contact the product or application vendor in order to determine what products utilize an embedded validated cryptographic module. There is inevitably a larger number of security products available which use a validated cryptographic module, than the number of modules which are found in this list. In addition, it is possible that other vendors, who are not found in this list, might incorporate a validated cryptographic module from this list into their own products.
• When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution, and reference the modules validation certificate number. The certificate number will provide reference to the above CMVP lists of validated modules. Each entry will state what version/part number/release is validated, and the operational environment (if applicable) the module has been validated. The information on the CMVP validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution. If a software or firmware module, there is guidance on how the module can be ported to similar operational environments and maintain the validation. This is found in FIPS 140-2 IG G.5.
• Module descriptions were provided by the vendors, and their contents have not been verified for accuracy by NIST or CSEC. The descriptions do not imply endorsement by the U.S. or Canadian Governments or NIST. Additionally, the descriptions may not necessarily reflect the capabilities of the modules when operated in the FIPS-approved mode. The algorithms, protocols, and cryptographic functions listed as "other algorithms" (non-FIPS-approved algorithms) have not been validated or tested through the CMVP.
• There are three additional lists which are included for historical purposes only. They reflect the various cryptographic implementations which met certain conditions specified in FIPS 140-1, which provided a transition from using FS1027 endorsed (and FIPS 140 compliant) implementations to using FIPS PUB 140-1 validated modules. Those three lists should no longer be used by agencies and departments to acquire cryptographic modules.

Back to Top