Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2



Stanley R. Snouffer, Arch Oldehoeft


Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and identification and authentication. A documented methodology for conformance testing through a defined set of security requirements in FIPS 140-1 and FIPS 140-2 and other cryptographic standards is specified in the Derived Test Requirements.FIPS 140-1 is one of NIST's most successful standards and forms the very foundation of the Cryptographic Module Validation Program. FIPS 140-2 addresses lessons learned from questions and comments and reflects changes in technology. The standard was strengthened, but not changed in focus or emphasis. Also, the standard was minimally restructured to:- Standardize the language and terminology to add clarity and consistency,- Remove redundant and extraneous information to make the standard more concise, and- Revise or remove vague requirements.Finally, a new section was added detailing new types of attacks on cryptographic modules that currently do not have specific testing available. This differences paper summarizes the changes from FIPS 140-1 to FIPS 140-2 and documents the detailed requirements.
Special Publication (NIST SP) - 800-29
Report Number


CMVP, Cryptographic Module Validation Program, cryptographic modules, cryptographic security requirements, cryptography, FIPS 140-1, FIPS 140-2


Snouffer, S. and Oldehoeft, A. (2001), A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed May 23, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created May 31, 2001, Updated October 12, 2021