FIPS certified vs. FIPS compliant: What’s the real difference?

“Is your MFA solution FIPS compliant, or is it certified?” 

This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements or failing them. 

FIPS certified devices are independently validated to meet the necessary security controls while compliant devices are not. US government employees and contractors that work with the federal government are required to use FIPS certified devices. Let’s break it down. 

What is FIPS? 

FIPS stands for Federal Information Processing Standards. The National Institute of Standards and Technology (NIST) has publicly announced these standards for use by U.S. federal government agencies and their contractors – required by law through the Federal Information Security Modernization Act (FISMA)1. FIPS 140 focuses on the security of cryptographic modules. The current standard is FIPS 140-3 though products that were validated under FIPS 140-2 are considered current until September 2026. While they are mandatory for federal systems, many commercial enterprises and international agencies also adopt FIPS standards and validated products. 

Who is NIST? 

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce. NIST develops standards, guidelines, and best practices to help organizations manage cybersecurity and risk. In the case of FIPS, NIST is responsible for publishing the standard, overseeing the certification process, and maintaining the Cryptographic Module Validation Program (CMVP) in partnership with the Canadian Centre for Cyber Security. The CMVP site lists the FIPS validated products and ones that are going through the approval process. 

What are the different FIPS 140 levels and what does the certification process entail? 

FIPS 140 has four different levels – at a high level they can be categorized as: 

  • Level 1 – Basic security requirements are specified for a cryptographic module at least one approved algorithm or approved security function shall be used and no specific physical security mechanisms are required.
  • Level 2 – Requires features that show evidence of tampering to attain physical access to critical security parameters (CSPs) within the module. Addition or modification of credentials is restricted to role based, with a separation between roles for credential usage and credential management.
  • Level 3 – Physical security mechanisms have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. Roles tied to individual user identities per device.
  • Level 4 – Physical security mechanisms provide a complete envelope of protection around the cryptographic module, with automatic destruction of data (keys/CSP) when tampering is detected.

As can be surmised, getting a product FIPS certified is a rigorous, formal process that requires testing by a NIST accredited lab. 

Why FIPS certification matters and the danger of “FIPS compliant” claims

You must use FIPS-certified cryptographic modules if you’re a federal agency (or a contractor working with one). Certification provides: 

  • Assurance: You’re using technology that has been independently tested and validated
  • Compliance: It satisfies mandatory requirements for many government procurement contracts. 
  • Trust: Certification proves that the vendor hasn’t just claimed compliance; they’ve demonstrated it under scrutiny. 

This is where confusion often arises. When a product says it’s “FIPS compliant,” it usually means that  the product utilizes cryptographic algorithms that FIPS standards approve. However, the product itself has not gone through the formal certification process. 

This is essentially a self-declared claim with no third-party validation. There is no listing in NIST’s CMVP official database

Think of it like this: Saying you’re FIPS compliant is like saying your car could pass inspection. Being certified means it has actually been tested and you have the paperwork to prove it. 

NIST’s official position and what it means for your organization

The good news is that NIST is clear when it comes to being FIPS compliant: for cryptographic modules to meet FIPS 140 requirements, they must be certified under the CMVP. That means tested and validated by a NIST-accredited lab, not just self-declared. 

Here’s what the NIST Computer Security Resource Center (CSRC) says: “Use of cryptographic modules that are not FIPS validated is a violation of the FISMA1 requirement for using validated cryptography.” 

Feature FIPS Compliant FIPS Certified 
Who verifies it? The vendor (self-declared) Accredited lab & NIST 
Official listing? ❌ No✅ Yes (CMVP database) 
Government approved? 
❌ Not guaranteed 

✅ Required for federal use 

For organizations in regulated industries, government contractors facing CMMC audits, and government agencies themselves, understanding the distinction between FIPS-compliant and FIPS-certified products is essential for compliance and security. Marketing terminology can be misleading – always request specific FIPS 140 certificate numbers from vendors and independently verify their validity through the NIST CMVP validation database. This due diligence protects your organization from compliance gaps and ensures you’re implementing genuinely validated cryptographic solutions that meet federal security standards.

Certified means it’s been tested, verified and trusted. Compliant means… it possibly has been. 

For more information on FIPS compliance and how YubiKeys help your organization achieve compliance, visit here. Interested in learning more about YubiKeys or have any questions? Contact our team today.

1: The Federal Information Security Management Act (FISMA) is a US law requiring federal agencies and their contractors to develop, document, and implement information security programs to protect their data, operations, and assets

Talk to our teamTalk to our team

Share this article:


  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Unlocking trust in enterprise security: Yubico and Okta empowering businesses togetherCollaboration with ecosystem partners is critical for providing our customers with the best cybersecurity solutions. Together, Yubico and Okta have achieved remarkable milestones over the years, including launching innovative solutions and aligning our go-to-market efforts – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart […]Read moreOktaOktane
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreYubiKey