Ask a Question

Solution ID : SO19074

What is FIPS 140-1 and 140-2


On July 17, 1995, the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS)140-1 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC). FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1.

FIPS 140-1 which is superseded by FIPS 140-2 is in reference to the module that will store sensitive information such as SSL or CodeSigning certificates. When storing SSL Certificates or CodeSigning certificates the FIPS standard also applies to the algorithm's that module uses to create the key pair.

For Example when enrolling for a certificate the user chooses to store that certificate on a Rainbow 2032 USB token. That token is considered to be FIPS 140-2 compliant because an NVLAP accredited Cryptographic and Security Testing (CST) Laboratories performed conformance testing of  this cryptographic module.

Cryptographic modules are tested against requirements found in FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Refer to this link for more information on CST's

Once a Crytographic Module passes the Security Requirements for Cryptographic Modules the vendor of that Module is provided a FIPS 140-2 Validation Certificate. Each certificate has a unique Certificate Number.
For more information on these Validation Certificates refer to

This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.

This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract.