Regarding the OATH TOTP G-Pass tokens, it is our understanding that OATH TOTP tokens do not fall under the FIPS requirements because they are not based on key pair or PKI technology which requires the use of crypto modules on the token to protect the private key. There is no private key that requires a crypto module on the SurePassID G-Pass tokens.
Here is an excerpt from an RSA article regarding the TOTP type of tokens:
“In general, FIPS 140-2 is not applicable to hardware OTP devices as cryptography is not used here in the traditional sense. Some people have pointed to the FIPS 140-2 requirement around random number generation (RNG), but [SurePassID] does not use RNG in this way (SurePassID token OTPs can't be a random number or there would be no way for token and server to derive the same value). Others have pointed out the FIPS requirement for performing a Power-On Self Test (POST). Unlike an event-based token that is "powered on" with each button press, however, [SurePassID] time-based tokens are always on and are therefore not subject to this requirement. It is worth noting that RSA [and SurePassID tokens] does perform an initial POST in manufacturing when the token is first powered on and programmed.”
The G-Pass tokens are tamper-resistant and conform to all other OATH standards for TOTP tokens and are used in various government agencies and contractors where FIPS compliance is required for other types of PKI, PIV, and CAC credentials that are based on "smart card" or "smart chip" cryptographic modules.