“Is your MFA solution FIPS compliant, or is it certified?”
This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements or failing them.
FIPS certified devices are independently validated to meet the necessary security controls while compliant devices are not. US government employees and contractors that work with the federal government are required to use FIPS certified devices. Let’s break it down.
What is FIPS?
FIPS stands for Federal Information Processing Standards. The National Institute of Standards and Technology (NIST) has publicly announced these standards for use by U.S. federal government agencies and their contractors – required by law through the Federal Information Security Modernization Act (FISMA)1. FIPS 140 focuses on the security of cryptographic modules. The current standard is FIPS 140-3 though products that were validated under FIPS 140-2 are considered current until September 2026. While they are mandatory for federal systems, many commercial enterprises and international agencies also adopt FIPS standards and validated products.
Who is NIST?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce. NIST develops standards, guidelines, and best practices to help organizations manage cybersecurity and risk. In the case of FIPS, NIST is responsible for publishing the standard, overseeing the certification process, and maintaining the Cryptographic Module Validation Program (CMVP) in partnership with the Canadian Centre for Cyber Security. The CMVP site lists the FIPS validated products and ones that are going through the approval process.
What are the different FIPS 140 levels and what does the certification process entail?
FIPS 140 has four different levels – at a high level they can be categorized as:
- Level 1 – Basic security requirements are specified for a cryptographic module at least one approved algorithm or approved security function shall be used and no specific physical security mechanisms are required.
- Level 2 – Requires features that show evidence of tampering to attain physical access to critical security parameters (CSPs) within the module. Addition or modification of credentials is restricted to role based, with a separation between roles for credential usage and credential management.
- Level 3 – Physical security mechanisms have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. Roles tied to individual user identities per device.
- Level 4 – Physical security mechanisms provide a complete envelope of protection around the cryptographic module, with automatic destruction of data (keys/CSP) when tampering is detected.
As can be surmised, getting a product FIPS certified is a rigorous, formal process that requires testing by a NIST accredited lab.
Why FIPS certification matters and the danger of “FIPS compliant” claims
You must use FIPS-certified cryptographic modules if you’re a federal agency (or a contractor working with one). Certification provides:
- Assurance: You’re using technology that has been independently tested and validated.
- Compliance: It satisfies mandatory requirements for many government procurement contracts.
- Trust: Certification proves that the vendor hasn’t just claimed compliance; they’ve demonstrated it under scrutiny.
This is where confusion often arises. When a product says it’s “FIPS compliant,” it usually means that the product utilizes cryptographic algorithms that FIPS standards approve. However, the product itself has not gone through the formal certification process.
This is essentially a self-declared claim with no third-party validation. There is no listing in NIST’s CMVP official database.
Think of it like this: Saying you’re FIPS compliant is like saying your car could pass inspection. Being certified means it has actually been tested and you have the paperwork to prove it.
NIST’s official position and what it means for your organization
The good news is that NIST is clear when it comes to being FIPS compliant: for cryptographic modules to meet FIPS 140 requirements, they must be certified under the CMVP. That means tested and validated by a NIST-accredited lab, not just self-declared.
Here’s what the NIST Computer Security Resource Center (CSRC) says: “Use of cryptographic modules that are not FIPS validated is a violation of the FISMA1 requirement for using validated cryptography.”
Feature | FIPS Compliant | FIPS Certified |
Who verifies it? | The vendor (self-declared) | Accredited lab & NIST |
Official listing? | ❌ No | ✅ Yes (CMVP database) |
Government approved? | ❌ Not guaranteed | ✅ Required for federal use |
For organizations in regulated industries, government contractors facing CMMC audits, and government agencies themselves, understanding the distinction between FIPS-compliant and FIPS-certified products is essential for compliance and security. Marketing terminology can be misleading – always request specific FIPS 140 certificate numbers from vendors and independently verify their validity through the NIST CMVP validation database. This due diligence protects your organization from compliance gaps and ensures you’re implementing genuinely validated cryptographic solutions that meet federal security standards.
Certified means it’s been tested, verified and trusted. Compliant means… it possibly has been.
For more information on FIPS compliance and how YubiKeys help your organization achieve compliance, visit here. Interested in learning more about YubiKeys or have any questions? Contact our team today.
1: The Federal Information Security Management Act (FISMA) is a US law requiring federal agencies and their contractors to develop, document, and implement information security programs to protect their data, operations, and assets