What is FIPS 140-1 and 140-2

Solution ID:    SO19074    Updated:    12/20/2011


On July 17, 1995, the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS)140-1 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC). FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1.

FIPS 140-1 which is superseded by FIPS 140-2 is in reference to the module that will store sensitive information such as SSL or CodeSigning certificates. When storing SSL Certificates or CodeSigning certificates the FIPS standard also applies to the algorithm's that module uses to create the key pair.

For Example when enrolling for a certificate the user chooses to store that certificate on a Rainbow 2032 USB token. That token is considered to be FIPS 140-2 compliant because an NVLAP accredited Cryptographic and Security Testing (CST) Laboratories performed conformance testing of  this cryptographic module.

Cryptographic modules are tested against requirements found in FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Refer to this link for more information on CST's http://csrc.nist.gov/groups/STM/cmvp/standards.html

Once a Crytographic Module passes the Security Requirements for Cryptographic Modules the vendor of that Module is provided a FIPS 140-2 Validation Certificate. Each certificate has a unique Certificate Number.
For more information on these Validation Certificates refer to http://csrc.nist.gov/groups/STM/cmvp/validation.html

This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.

This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract.


Thawte has made efforts to ensure the accuracy and completeness of the information in this document. However, Thawte makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. Thawte assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, Thawte assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Thawte reserves the right to make changes to any information herein without further notice.  

Knowledge Center

Search Tips