FIPS PUB 140-2
Security Requirements for Cryptographic Modules
PUB 140-2 PDF document was updated on December 03, 2002. If you have
previously downloaded the PDF file, you can determine the version of the
downloaded PDF file by opening File,
Document Properties, Summary in the Adobe Acrobat Reader.
[Change Notice on Page 54]
NVLAP accredited Cryptographic Modules Testing (CMT) laboratories perform
validation testing of cryptographic modules. Cryptographic modules are tested
against requirements found in FIPS PUB 140-2, Security Requirements
for Cryptographic Modules [PDF].
Security requirements cover 11 areas related to the design and implementation
of a cryptographic module Within most areas, a cryptographic module receives
a security level rating (1-4, from lowest to highest), depending on what requirements
are met. For other areas that do not provide for different levels of security,
a cryptographic module receives a rating that reflects fulfillment of all
of the requirements for that area.
An overall rating is issued for the cryptographic module, which indicates
(1) the minimum of the independent ratings received in the areas with levels,
and (2) fulfillment of all the requirements in the other areas. On a vendor's
validation certificate, individual ratings are listed, as well as the overall
rating. It is important for vendors and users of cryptographic modules
to realize that the overall rating of a cryptographic module is not necessarily
the most important rating. The rating of an individual area may be more
important than the overall rating, depending on the environment in which
the cryptographic module will be implemented (this includes understanding
what risks the cryptographic module is intended to address).
- FIPS PUB 140-2 Annexes:
Annex A: Approved Security Functions [PDF
Annex B: Approved Protection Profiles [PDF
Annex C: Approved Random Number Generators [PDF
Annex D: Approved Key Establishment Techniques [PDF
- Testing Requirements:
Cryptographic module validation testing is performed using the Derived
Test Requirements [DTR] for FIPS PUB 140-2, Security
Requirements for Cryptographic Modules [PDF
Draft: 03/24/2004]. The DTR lists all of the vendor and tester
requirements for validating a cryptographic module, and it is the basis of
testing done by the CMT accredited laboratories.
- Implementation Guidance:
NIST and CSE have developed an Implementation Guidance for FIPS PUB
140-2 and the Cryptographic Module Validation Program [PDF
07-26-2007] document for cryptographic module vendors
and testing laboratories. This is intended to provide clarifications of the
testing process, FIPS 140-2, and the FIPS 140-2 Derived Test Requirements.
- Validation List:
NIST maintains the FIPS 140-1 and
FIPS 140-2 Cryptographic Modules Validation List of all validated FIPS
140-1 and FIPS 140-2 cryptographic modules. An alphabetical list of FIPS
140-1 and FIPS 140-2 vendors (vendors with validated cryptographic modules)
is also available.
The MS Access 2000 database [ZIP] used
to generate the FIPS 140-1 and FIPS 140-2 validation list contains all of
the data found on each FIPS 140-1 and FIPS 140-2 validation certificates.
- Other Information:
FIPS PUB 140-2 was signed on May 25, 2001. NIST and CSE have completed
the FIPS 140-2 Derived Test Requirements document. CMT laboratories
may begin testing cryptographic modules against the FIPS 140-2 DTR and
submit validation reports to NIST/CSE. The FIPS 140-2 DTR will remain
draft for a period of time to allow the CMT labs to use the document
and provide comments to NIST/CSE. The FIPS 140-2 DTR will be updated
NIST and CSE will accept validation reports from CMT laboratories against
EITHER FIPS 140-1 or FIPS 140-2 and the applicable DTR from November
15, 2001 to May 25, 2002. After May 25, 2002, NIST and CSE will only
accept validation reports for cryptographic modules against FIPS 140-2
and the FIPS 140-2 DTR. After May 25, 2002, all previous validations
against FIPS 140-1 WILL STILL BE RECOGNIZED.
- FIPS PUB 140-2 Page v, Implementation Schedule: "Agencies
may retain and use FIPS 140-1 validated products that have been purchased
before the end of the transition period". Clarification:
Agencies may continue to purchase, retain and use FIPS 140-1 validated
products after May 25, 2002.
- Special Publication
800-29: A Comparison of the Security Requirements in Cryptographic
Modules in FIPS 140-1 and FIPS 140-2
- Diagram that maps the
general flow of the CMVP FIPS 140-2 testing process.
Last Modified: July 26, 2007
Computer Security Division
National Institute of Standards and Technology