FIPS 140-2 testing is still available until September 21, 2021 (later changed for applications already in progress to April 1, 2022[3]), creating an overlapping transition period of one year.
The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code.
The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
If a product contains countermeasures against these attacks, they must be documented and tested, but protections are not required to achieve a given level.
FIPS 140-2, issued on 25 May 2001, takes account of changes in available technology and official standards since 1994, and of comments received from the vendor, tester, and user communities.
It was the main input document to the international standard ISO/IEC 19790:2006 Security requirements for cryptographic modules issued on 1 March 2006.
[9] This criticism has been countered more recently by some industry experts who instead put the responsibility on the vendor to narrow their validation boundary.