Does NIST certify IT systems, products, or modules?
No, the National Institute of Standards and Technology (NIST) does not provide certification for Information Technology (IT) systems, products, or modules. However, NIST operates a number of IT Security Validation Programs. Under these programs, vendors use third-party, independent, private-sector, accredited testing laboratories to have their products tested. Products and modules that conform to validation program test requirements are awarded validations by NIST.
What is the Purpose of the IT Security Validation Program?
The goal of the IT Security Validation Program is to promote the use of validated products that conform to IT standards and provide Federal agencies and other users with a security baseline to use in procuring systems, products, or modules. The results of the independent testing performed by laboratories accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) provide this baseline. NIST Computer Security Division (CSD) is the validation authority that validates the test results and issues validation certificates.
What are CSD IT Security Validation Programs?
NIST has validation programs for the following:
Where can I find a list of validated products and modules as well as vendor lists?
NIST posts and maintains the Module Validation Lists on the CSD Web site. The FIPS 140-1 and FIPS 140-2 validation lists contain those cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS PUB 140-1 and FIPS PUB 140-2. A validation certificate has been issued for each of the modules listed.
NIST maintains an alphabetical list of vendors who have implemented validated cryptographic modules. The list includes links to the individual certificates issued.
Where can I find an accredited laboratory?
National Voluntary Laboratory Accreditation Program (NVLAP) maintains the authoritative list of accredited laboratories. The validation programs mentioned in this document use the “Cryptographic and Security Testing” laboratories.
NIST also posts all NPIVP independent third-party laboratories that conduct testing for PIV card application and PIV middleware test methods.
The NIST Standards Information Center makes every effort to provide accurate and complete information. Various data such as names, telephone numbers, links to websites, etc. may change prior to updating. We welcome suggestions on how to improve this FAQ and correct errors. The Standards Information Center provides this information “AS-IS.” NIST and the Standards Information Center make NO WARRANTY OF ANY TYPE, including NO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NIST makes no warranties or representations as to the correctness, accuracy, completeness, or reliability of the information. As a condition of using the FAQs, you explicitly release NIST/Standards Information Center from any and all liabilities for any damage of any type that may result from errors or omissions in the FAQ or other data. Some of the documents referenced point to information created and maintained by other organizations. The Standards Information Center does not control and cannot guarantee the relevance, timeliness, or accuracy of these materials.