FIPS 140-2

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware and software products using cryptography. Products must comply with FIPS 140-2 if they are to be used in a security system that processes sensitive but unclassified information.

Corsec helps determine the best path to FIPS 140-2 validation given your product’s unique market drivers, competitive landscape and primary goals.

FIPS 140-2 Certification Process

CONTACT CORSEC for information on FIPS 140-2 and other certifications for your product.


FIPS 140-2 Overview

In the United States, a FIPS 140-2 validation is legally required before products that implement cryptography can be sold to the federal government. To be considered for procurement, products using cryptography for secure remote management, data encryption, digital signatures, or information protection, must achieve FIPS 140-2 validation.

In order to receive FIPS 140-2 validation, an accredited testing laboratory must evaluate the product to ensure compliance. Typically FIPS 140-2 compliance requires product changes, documentation development, laboratory testing and government oversight.

For a complete list of NIST’s FIPS 140-2 validated products, click here

FIPS 140-2 Requirements

A FIPS 140-2 validation allows organizations to sell their products to many markets around the globe.

Are you focusing on these markets?

Common Criteria, FIPS 140-2, UC APL - U.S. Government Common Criteria, FIPS 140-2, UC APL - Canadian Government Common Criteria, FIPS 140-2, UC APL - Financial Services Common Criteria, FIPS 140-2, UC APL - Health-Care Common Criteria, FIPS 140-2, UC APL - Critical-Infrastructure  Common Criteria, FIPS 140-2, UC APL - European Government Common Criteria, FIPS 140-2, UC APL - Latin-American-Government Common Criteria, FIPS 140-2, UC APL - Asia-Government

FIPS 140-2 NIST requirements

FIPS 140-2 Common Questions

There are four important considerations when contemplating FIPS 140-2 validation.

How long does FIPS 140-2 Validation take?

A typical FIPS 140-2 validation effort will take anywhere from eight to twelve months from start to finish. There are three major phases in the process.

Phase 1: Design and Documentation

The amount of time to properly design and document a product varies greatly, depending upon the nature of the changes required and the maturity level of the product being evaluated. However, this phase of the process is the one that product vendors can most control. Many products require only small changes to meet FIPS 140-2 requirements. Some product manufacturers are able to integrate the design and documentation phase into a regular product release cycle. Assuming ideal circumstances, Corsec recommends planning for approximately three months for this effort.

Phase 2: Laboratory Testing

The amount of time that laboratory testing of an individual product takes directly depends upon how well the product was designed and documented. A product that properly meets the requirements and is delivered to the testing laboratory with all required documentation written correctly can move through testing in two to three months. There is no maximum time it can take for a product to successfully complete testing. Corsec recommends ensuring your product meets all requirements prior to entering the testing phase of FIPS 140-2.

Phase 3: Government Review

Once the testing laboratory completes its testing of a product, a report is submitted to the Cryptographic Module Validation Program (CMVP) for review. This governmental body is a joint United States and Canadian organization that reviews all test reports for compliance. The amount of time this review takes depends upon the current length of the test report queue and can range from anywhere between two to eight months. Additional time may also be required if problems with the product are discovered during the review.


How much does FIPS 140-2 Validation cost?

FIPS 140-2 validation costs vary greatly, depending upon the complexity of the product and the level of certification sought. Additionally, poor planning and failure to properly execute a plan have resulted in some staggering sums being spent on validation efforts. Figuring out how much a certification will cost is one of the most important activities when planning an evaluation effort.


What is the difference between FIPS 140-2 Compliant and Validated

There is a substantial difference between claiming your product is ‘FIPS 140-2 compliant’ and ‘FIPS 140-2 validated.’ The former term refers to a product that has incorporated within its design another company’s cryptographic module that went through the complete FIPS validation process. It does not hold as much weight as being able to claim ‘FIPS 140-2 validation.’ This means a vendor has gone through the entire FIPS 140-2 evaluation process and has a certificate issued by the government. Further, the product meets the legal requirements passed by Congress, as well as the procurement requirements for the US government and different industries, including healthcare, financial services and critical infrastructure.


How do I get FIPS 140-2 Validated?

In order to begin a FIPS 140-2 validation, there are a number of decisions that need to be made. However, none of these decisions can be made until you understand the following:

ROI Cost Product Changes Certification Options Timing Customer Requirements New Business Areas Competitive Analysis


Corsec offers a comprehensive set of services to help you answer all of these questions and plan a successful FIPS 140-2 validation. Schedule An Assessment for your organization to determine the best options forward.


Get Started
On Certifications

Get Started On Certifications

Watch a
Corsec Webinar

Watch A Webinar by Corsec

Discuss Your
Certification Needs

Discuss Your Certification Needs

Call Corsec +1 703 267 6050