Federally Mandated Security

Protection of highly sensitive data is a paramount concern of the federal government. It has formulated certain standards to be strictly complied with.

UL’s laboratory in San Luis Obispo, California (formerly known as InfoGard)  is an independent, third-party laboratory accredited by NIST’s National Voluntary Laboratory Accreditation Program (NVLAP Lab Code: 100432-0) which provides testing and evaluation services to IT vendors so they can achieve FIPS 140-2, FIPS 201, and Common Criteria validations for their security products. UL’s Security Engineers are cross-trained in Common Criteria and FIPS, which allows for professional and efficient evaluations.

What can UL do for me?

FIPS 140-2 (Federal Information Processing Standards) is a mandatory standard for cryptographic-based security systems used by Federal agencies to protect sensitive information. UL's California laboratory is the leading Cryptographic and Security Testing (CST) laboratory completing more than 570 validations.

UL performs NIST Personal Identity Verification Program (NPIVP) Card Command Testing associated with the FIPS 201 PIV program. Homeland Security Presidential Directive (HSPD)-12 mandates the use of approved credentials for federal employees and contractors for physical and logical access to federal facilities, a market encompassing millions of people.

As a Common Criteria Testing Laboratory (CCTL), UL provides advisory and evaluation services to help IT vendors successfully complete security evaluations against published Protection Profiles. UL, with our extensive security and evaluation experience, has created an evaluation process that can be tailored towards unique customer needs.

Federal Resources

  • Special Publications Main Download Page
  • SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
  • SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
  • SP 800-111, Guide to Storage Encryption Technologies for End User Devices
  • SP 800-77, Guide to IPsec VPNs
  • SP 800-52, Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
  • SP 800-113, Guide to SSL VPNs
  • SP 800-88, Guidelines for Media Sanitization


Common Criteria/ISO15408

Common Criteria is a framework in which products users can specify their security requirements.

FIPS 201 (NPIVP) Card Command Validation

PIV smartcards are required to undergo validation testing to SP 800-73 by an accredited testing laboratory in order to be utilized by the U.S. Federal government.

FIPS 140-2

Hardware or software products containing cryptographic modules that are being sold to the US Government must comply with FIPS 140-2.