--- title: "How FIPS 180-4 and FIPS 202 Hash Functions Fit FIPS Algorithm Approval" canonical_url: "https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq/fips-180-4-and-fips-202-hash-functions" source_url: "https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq/fips-180-4-and-fips-202-hash-functions" author: "Sorena AI" description: "Use FIPS 180-4 for SHA-1 and SHA-2 hash algorithms, FIPS 202 for SHA-3 and SHAKE functions, and CAVP/CMVP evidence without treating a hash certificate as module validation." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "FIPS 180-4" - "FIPS 202" - "SHA-2" - "SHA-3" - "SHAKE" - "CAVP" - "CMVP" - "FIPS-approved hash algorithms" - "FIPS-approved cryptographic algorithms" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # How FIPS 180-4 and FIPS 202 Hash Functions Fit FIPS Algorithm Approval Use FIPS 180-4 for SHA-1 and SHA-2 hash algorithms, FIPS 202 for SHA-3 and SHAKE functions, and CAVP/CMVP evidence without treating a hash certificate as module validation. *FAQ* *GLOBAL* *FIPS hash-function evidence* ## FIPS 180-4 and FIPS 202 hash functions How should teams use them in FIPS-approved algorithm decisions? Use FIPS 180-4 for SHA-1 and SHA-2, FIPS 202 for SHA-3 and SHAKE, and then verify the exact implementation and operating environment through the right CAVP and CMVP evidence. This FAQ separates hash-function selection from higher-level algorithm approval and cryptographic module validation. Short answer: cite FIPS 180-4 or FIPS 202 to identify the approved hash family, but use CAVP evidence to verify the tested implementation and CMVP evidence to verify a FIPS 140-3 module claim. ## Which hash functions come from FIPS 180-4 and FIPS 202? FIPS 180-4 is the Secure Hash Standard for SHA-1 and the SHA-2 family: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. FIPS 202 adds the SHA-3 family: SHA3-224, SHA3-256, SHA3-384, SHA3-512, plus the SHAKE128 and SHAKE256 extendable-output functions. For a FIPS-approved algorithm decision, start by naming the exact function and use case. A message digest for digital signatures, an HMAC construction, a KDF, a DRBG, a post-quantum algorithm component, and a standalone SHAKE use can have different validation evidence even when the same hash family appears in the design. - Use FIPS 180-4 when the decision is about SHA-1 or SHA-2 digest functions. - Use FIPS 202 when the decision is about SHA-3 hash functions or SHAKE extendable-output functions. - Do not treat the standard name alone as proof that a product, library, or module is validated. Sources for this answer: - [NIST FIPS 180-4 Secure Hash Standard](https://csrc.nist.gov/pubs/fips/180-4/upd1/final?ref=sorena.io) - Identifies the SHA-1 and SHA-2 algorithms covered by the Secure Hash Standard. - [NIST FIPS 202 SHA-3 Standard](https://csrc.nist.gov/pubs/fips/202/final?ref=sorena.io) - Identifies the SHA-3 hash functions and the SHAKE extendable-output functions. ## What evidence proves the hash implementation is approved? The useful evidence is not a screenshot that says SHA-256 or SHA3-256 exists. Record the CAVP algorithm certificate or validation result for the exact implementation name, version, algorithm, parameters, and tested operational environment. Keep that algorithm evidence separate from the module evidence. CAVP validates algorithm implementations; CMVP validates cryptographic modules under FIPS 140-3. A module claim needs the module certificate, approved-mode documentation, and security policy scope, not only a hash-algorithm certificate. - Capture the algorithm name, certificate number or validation entry, implementation version, vendor, and tested operating environment. - For software modules, compare the CAVP operating environment with the module operating environment before relying on the certificate. - For a FIPS 140-3 claim, tie the hash evidence to the validated module boundary and approved services shown in CMVP-facing documentation. Sources for this answer: - [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program?ref=sorena.io) - Program source for CAVP algorithm implementation validation evidence. - [NIST FIPS 140-3 security requirements for cryptographic modules](https://csrc.nist.gov/pubs/fips/140-3/final?ref=sorena.io) - Distinguishes FIPS 140-3 module validation scope from the underlying approved algorithms used by the module. - [NIST Cryptographic Module Validation Program](https://csrc.nist.gov/projects/cryptographic-module-validation-program?ref=sorena.io) - Program page for CMVP module validation, which is separate from CAVP algorithm implementation testing. ## Where do teams make mistakes with SHA-3 and SHAKE? The main mistake is treating every FIPS 202 function as interchangeable. SHA-3 hash functions can appear as standalone functions or inside approved higher-level algorithms when the relevant testing path supports that use. CMVP implementation guidance is more restrictive for SHAKE128 and SHAKE256: outside algorithm standards that explicitly allow them, SHAKE functions are used as standalone algorithms. A second mistake is importing a hash certificate into a higher-level claim without checking whether the higher-level algorithm has its own CAVP testing requirement or vendor-affirmed path. That matters for signatures, KDFs, DRBGs, and module approved-service listings. - Do not substitute SHAKE for a fixed-length hash unless the higher-level algorithm standard or NIST guidance supports that use. - Do not list a higher-level algorithm as approved merely because one internal hash function has a CAVP certificate. - Do not reuse a hash validation across a changed implementation or operating environment without checking the certificate scope. Sources for this answer: - [NIST FIPS 202 SHA-3 Standard](https://csrc.nist.gov/pubs/fips/202/final?ref=sorena.io) - Explains that SHA-3 functions supplement FIPS 180-4 hash functions and that SHAKE output length is application-dependent. - [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program?ref=sorena.io) - Program source for checking whether an algorithm implementation has CAVP validation evidence. - [NIST Cryptographic Module Validation Program](https://csrc.nist.gov/projects/cryptographic-module-validation-program?ref=sorena.io) - Supports keeping module validation status and approved-mode service claims separate from standalone hash-function selection. ## Primary sources - [NIST FIPS 180-4 Secure Hash Standard](https://csrc.nist.gov/pubs/fips/180-4/upd1/final?ref=sorena.io) - Identifies the SHA-1 and SHA-2 algorithms covered by the Secure Hash Standard. - Quote: "SHA-1, SHA-224, SHA-256, SHA-384, SHA-512" - [NIST FIPS 202 SHA-3 Standard](https://csrc.nist.gov/pubs/fips/202/final?ref=sorena.io) - Identifies the SHA-3 hash functions and the SHAKE extendable-output functions. - Quote: "SHA3-224, SHA3-256, SHA3-384, and SHA3-512" - [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program?ref=sorena.io) - Program source for CAVP algorithm implementation validation evidence. - Quote: "Cryptographic Algorithm Validation Program" - [NIST FIPS 140-3 security requirements for cryptographic modules](https://csrc.nist.gov/pubs/fips/140-3/final?ref=sorena.io) - Distinguishes FIPS 140-3 module validation scope from the underlying approved algorithms used by the module. - Quote: "cryptographic modules" - [NIST Cryptographic Module Validation Program](https://csrc.nist.gov/projects/cryptographic-module-validation-program?ref=sorena.io) - Program page for CMVP module validation, which is separate from CAVP algorithm implementation testing. - Quote: "CMVP" ## Topic Guides - [AES FIPS 197 requirements and evidence](/artifacts/global/fips-crypto-algorithms/aes-fips-197.md): AES FIPS 197 guidance for identifying supported key sizes, separating the block cipher from modes of operation, and avoiding unsupported FIPS validation claims. - [CAVP and ACVP validation evidence for FIPS algorithms](/artifacts/global/fips-crypto-algorithms/cavp-and-acvp-validation.md): How to read CAVP algorithm certificates, ACVTS/ACVP test coverage, CMVP module validation, and FIPS 140-3 procurement evidence without overstating the claim. - [CAVP Validation Evidence Workflow for FIPS Algorithms](/artifacts/global/fips-crypto-algorithms/cavp-validation-evidence-workflow.md): Workflow for collecting CAVP and ACVP evidence: algorithm certificates, implementation names, tested parameters, operating environments, and CMVP handoff records. - [FIPS 180-4 and FIPS 202 secure hash guidance](/artifacts/global/fips-crypto-algorithms/secure-hash-fips-180-4-and-fips-202.md): Choose and evidence SHA-2, SHA-3, and SHAKE use under FIPS 180-4, FIPS 202, CAVP validation, and FIPS 140-3 module claims. - [FIPS 186-5 and FIPS 204 digital signatures](/artifacts/global/fips-crypto-algorithms/digital-signatures-fips-186-5-and-fips-204.md): Compare FIPS 186-5 classical digital signatures with FIPS 204 ML-DSA, including scope, algorithm choices, key-use limits, and validation evidence boundaries. - [FIPS 203 ML-KEM vs RSA and ECDH key establishment](/artifacts/global/fips-crypto-algorithms/ml-kem-vs-rsa-and-ecdh.md): Compare FIPS 203 ML-KEM with RSA and ECDH key-establishment schemes using NIST SP 800-56A, SP 800-56B, CAVP, and CMVP grounding. - [FIPS 203, 204, and 205 Post-Quantum Algorithms](/artifacts/global/fips-crypto-algorithms/faq/fips-203-204-and-205-post-quantum-algorithms.md): FAQ on how FIPS 203 ML-KEM, FIPS 204 ML-DSA, and FIPS 205 SLH-DSA fit FIPS-approved cryptographic algorithm planning, implementation evidence, and validation checks. - [FIPS Algorithm Procurement Evidence FAQ](/artifacts/global/fips-crypto-algorithms/faq/procurement-evidence.md): What procurement teams should collect before accepting FIPS algorithm or module claims: CAVP certificates, CMVP module status, security policy scope, and supplier change triggers. - [FIPS approved algorithm selector workflow](/artifacts/global/fips-crypto-algorithms/approved-algorithm-selector-workflow.md): A source-linked workflow for selecting FIPS and NIST-approved cryptographic algorithms without overstating module validation, CAVP evidence, or approved-mode claims. - [FIPS approved mode procurement: certificates, boundaries, and evidence](/artifacts/global/fips-crypto-algorithms/approved-mode-procurement.md): Procurement guidance for FIPS approved mode claims: how to check CMVP certificates, CAVP evidence, module boundaries, tested environments, and supplier evidence before purchase. - [FIPS crypto transition and deprecation tracker](/artifacts/global/fips-crypto-algorithms/transition-and-deprecation-tracker.md): Track FIPS algorithm transitions, withdrawn guidance, CAVP evidence, CMVP module impact, procurement triggers, and approved-mode caveats without overstating validation status. - [FIPS cryptographic algorithm selector](/artifacts/global/fips-crypto-algorithms/algorithm-selector.md): Choose between FIPS algorithm standards for AES, SHA-2, SHA-3, digital signatures, ML-KEM, ML-DSA, and SLH-DSA without overstating validation scope. - [FIPS KDF and MAC coverage for validated modules](/artifacts/global/fips-crypto-algorithms/kdf-and-mac-coverage.md): Map FIPS 140-3 KDF and MAC coverage to approved security functions, CAVP evidence, self-tests, service indicators, and module security policy entries. - [FIPS Key Management Mapping for Algorithms and SSP Evidence](/artifacts/global/fips-crypto-algorithms/key-management-mapping.md): Map FIPS 140-3 key management requirements to approved algorithms, SSP establishment methods, CAVP evidence, module boundaries, and key-use records. - [FIPS Procurement Evidence Review Workflow: CAVP, CMVP, Approved Mode](/artifacts/global/fips-crypto-algorithms/procurement-evidence-review-workflow.md): Review FIPS crypto procurement evidence by separating CAVP algorithm certificates from CMVP module certificates, Security Policy scope, approved mode, operating environment, change impact, and retention records. - [FIPS validation certificates for cryptographic algorithms](/artifacts/global/fips-crypto-algorithms/faq/validation-certificates.md): How to read CAVP algorithm validation certificates and CMVP module validation certificates without overstating FIPS-approved cryptographic algorithm claims. - [FIPS-approved cryptographic algorithms FAQ](/artifacts/global/fips-crypto-algorithms/faq.md): Answers to common FIPS algorithm questions: approved security functions, CAVP validation, CMVP module scope, AES modes, SHA-2, SHA-3, signatures, and post-quantum algorithms. - [How FIPS 186-5 Signature Algorithms Fit FIPS Approval](/artifacts/global/fips-crypto-algorithms/faq/fips-186-5-signatures.md): Use FIPS 186-5 for RSA, ECDSA, deterministic ECDSA, EdDSA, HashEdDSA, DSA verification limits, approved hashes, and CAVP/CMVP evidence boundaries. - [ML-DSA vs ECDSA under FIPS 204 and FIPS 186-5](/artifacts/global/fips-crypto-algorithms/ml-dsa-vs-ecdsa.md): Compare ML-DSA and ECDSA for FIPS-aligned digital signature designs, including parameter choices, key handling, CAVP algorithm evidence, and CMVP module boundaries. - [Post-quantum FIPS 203, 204, and 205: ML-KEM, ML-DSA, and SLH-DSA](/artifacts/global/fips-crypto-algorithms/post-quantum-fips-203-204-205.md): A grounded guide to the three NIST post-quantum FIPS standards: when ML-KEM, ML-DSA, and SLH-DSA apply, what evidence to keep, and how CAVP and CMVP claims differ. - [Post-Quantum Migration for FIPS Cryptography](/artifacts/global/fips-crypto-algorithms/post-quantum-migration.md): Plan post-quantum migration for FIPS cryptography by separating ML-KEM key establishment, ML-DSA and SLH-DSA signatures, CAVP algorithm evidence, and CMVP module validation boundaries. - [Post-Quantum Migration Tracker for FIPS 203, 204, and 205](/artifacts/global/fips-crypto-algorithms/post-quantum-migration-tracker.md): Track post-quantum cryptography migration evidence for FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA, CAVP algorithm certificates, and CMVP module boundaries. - [SHA-2 vs SHA-3 under FIPS 180-4 and FIPS 202](/artifacts/global/fips-crypto-algorithms/sha-2-vs-sha-3.md): Compare SHA-2 and SHA-3 for FIPS use: approved functions, validation evidence, compatibility, procurement checks, and when migration is not required. - [TLS use-case mapping for FIPS algorithm evidence](/artifacts/global/fips-crypto-algorithms/tls-use-case-mapping.md): Map TLS uses to FIPS algorithm, CAVP, CMVP, approved-mode, certificate-authority, and evidence checks without overstating protocol validation claims. - [What does FIPS 197 AES mean for FIPS-approved algorithms?](/artifacts/global/fips-crypto-algorithms/faq/fips-197-aes.md): FIPS 197 defines AES as a FIPS-approved block cipher, but AES use alone is not the same as CAVP algorithm testing or FIPS 140-3 module validation. *Recommended next step* *Placement: after hash-function evidence* ## Separate FIPS 180-4, FIPS 202, CAVP, and CMVP claims before review Use this FAQ to align hash-function selection, algorithm validation evidence, module scope, and approved-mode service documentation. - [Check the evidence boundary](/solutions/assessment.md): Review whether hash, higher-level algorithm, and module validation claims point to the right records. - [Resolve a scoped FIPS question](/solutions/research-copilot.md): Compare CAVP, CMVP, and NIST source support when a hash function is used inside a larger cryptographic claim. - [Talk through implementation](/contact.md): Review the product boundary, operating environment, and validation evidence for the hash functions in scope. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq/fips-180-4-and-fips-202-hash-functions