The National Institute for Standards and Technology ("NIST") published Federal Information Processing Standard ("FIPS") 140-2 on December 3, 2002. FIPS 140-2 was superseded by FIPS 140-3 on March 22, 2019.
FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module [i.e., computer code that handles encryption], providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
Organizations making cryptographic modules can submit their modules to NIST for verification that they meet the requirements defined in FIPS 140-2 or 140-3. The list of FIPS validated modules can be accessed via the NIST website (https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules)
From the NIST website:
The FIPS 140-1 and FIPS 140-2 validated modules search provides access to the official validation information of all cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS PUB 140-1 and FIPS PUB 140-2. The search results list all issued validation certificates that meet the supplied search criteria and provide a link to view more detailed information about each certificate. The Certificate Detail listing provides the detailed module information including algorithm implementation references to the CAVP algorithm validation, Security Policies, original certificate images or reference to the consolidated validation lists, and vendor product links if provided.
If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.
If a validation certificate is marked as historical, Federal Agencies should not include these in new procurement. This does not mean that the overall FIPS-140 certificates for these modules have been revoked, rather it indicates that the certificates and the documentation posted with them are either more than 5 years old, or were moved to the historical list because of an algorithm transition. In these cases, the certificates have not been updated to reflect latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. In some cases, a module may use functionality from another module (bound module) that will be referenced in the binding module's certificate. The movement to the historical list of the binding module will coincide with the sunset date of the bound module, regardless of its own sunset date. Agencies may make a risk determination on whether to continue using the modules on the historical list based on their own assessment of where and how the module is used.
It is important to note that validation certificates are issued for cryptographic modules. A module may either be an embedded component of a product or application, or a complete product in and of itself. If the cryptographic module is a component of a larger product or application, one should contact the product or application vendor in order to determine what products utilize an embedded validated cryptographic module. There are inevitably a larger number of security products available which use a validated cryptographic module than the number of modules which are found in this list. In addition, it is possible that other vendors, who are not found in this list, might incorporate a validated cryptographic module from this list into their own products.
Users in Federal Government organizations are advised to utilize the validated module search to aid in product acquisition. Only modules tested and validated to FIPS 140-1 or FIPS 140-2 meet the applicability requirements for cryptographic modules to protect sensitive information - a product or implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates.
When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution, and reference the modules validation certificate number. The information on the CMVP validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution. Each entry will state what version/part number/release is validated, and the operational environment (if applicable) the module has been validated. If the validated module is a software or firmware module, guidance on how the module can be ported to similar operational environments while maintaining the validation can be found in FIPS 140-2 IG G.5.