FIPS has been developed by NIST to address the inadequacy of industry standards or solutions for the security and interoperability requirements of the Federal government.

The National Institute of Standards and Technology (NIST) issued the FIPS (Federal Information Processing Standard) 140 series to uphold the standards indicating the US Federal Government requirements that IT products should meet. 

Who needs FIPS 140-2 compliance?

When you wish to launch hardware or software products in the US market containing cryptographic modules, you need to comply with FIPS 140-2.

There are two programs associated with the FIPS 140 effort: the Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVVP). Algorithms are simply the basic commands which perform the encryption/decryption/hashing of the plaintext or ciphertext data. Modules are the actual software/hardware incorporating these algorithms. Both programs are jointly operated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). In general, any cryptographic module that uses, stores, and /or transmits sensitive data, and is sold to the federal market in US & Canada, must meet the FIPS 140-2 requirements. Also, all modules are required to utilize at least one FIPS-approved encryption algorithm.

What can UL do?

UL is uniquely positioned as one of only twenty accredited cryptographic module testing laboratories worldwide. We perform validation testing of cryptographic modules. Within most areas, a cryptographic module receives a security level rating, depending on which requirements are met. Our highly skilled engineers will perform the required tests to ensure your hardware and software products are ready for the US market.

FIPS 140-2 Useful websites* 
  • NIST CAVP main website
    This link lists all of the cryptographic algorithm types that can be validated under the CAVP, along with the associated standards or specification documents for each, and the tests that are conducted. The duration for algorithm investigations is typically on the order of 2 weeks. 
  • NIST CMVP main website
    This link provides an overview of the CMVP. On the left, there are various links that may be of interest, including the "Standards" link (see below), the "Module Validation Lists" (which indicates all validated modules since the program's inception), and the "Modules In Process" link, which shows the products that are currently under evaluation and/or review by NIST/CSEC . 
  • The duration for module investigations is typically on the order of 2-3 months (depending upon the complexity of the product) plus the time required for NIST/CSEC to review the test data (variable 3-10 months) 
  • FIPS 140-2 Standard (pdf)
    The primary document is FIPS PUB 140-2 – “Security Requirements for Cryptographic Modules”. Within this document, refer to Appendix A, which gives a summary of the documentation requirements, and Appendix C, which details the information to be included in the Security Policy which is the primary document required for FIPS 140-2 validation. 

FIPS 140-22 Annexes*: 

This document goes into much more detail on what is involved from both a vendor and testing lab (UL) standpoint for each requirement provided in the FIPS 140-2 standard. Note that the clauses that start with ““VE” are vendor requirements and “TE” is for testing lab requirements. 

Federal Resources*:

FIPS 140-2 


*UL offers links to these websites and documents because we believe they may have value and relevance for consumers, manufacturers and others who share our interest in public safety. UL has no role in the development or maintenance of these websites and documents. UL is not responsible for the content, accuracy, opinions expressed or other links provided by these resources.