This is a potential security issue, you are being redirected tohttps://csrc.nist.gov.
Official websites use .gov
A.gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
Alock () orhttps:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. CMVP has over 1,000 validated modules that are currently active, with over 5,000 modules validated since the beginning of the program.
Cryptographic and Security Testing Laboratories (CSTLs) verify each module meets a set of testable cryptographic and security requirements. Each CSTL submission reviewed and validated by CMVP. Each CSTL is an independent laboratory accredited by NVLAP.
As of September 22, 2020, CMVP began validating cryptographic modules to Federal Information Processing Standard (FIPS) 140-3,Security Requirements for Cryptographic Modules. CMVP accepted cryptographic module submissions to Federal Information Processing Standard (FIPS) 140-2,Security Requirements for Cryptographic Modules until March 31, 2022.As of April 1, 2022, the CMVP no longer accepted FIPS 140-2 submissions for new validation certificates except as indicated in the table below.
FIPS 140-3 validations are currently being accepted. Upon validation, modules will be placed on the Active list for 5 years (or 2 years for Interim Validations) and may be used for new and existing systems.
Modules validated as conforming to FIPS 140-2 can continue to be accepted by the Federal agencies of both countries for the protection of controlled unclassified information (United States) or Designated Information (Canada) through September 21, 2026. After that time CMVP will place the FIPS 140-2 validated modules on the Historical list, allowing agencies to continue using these modules for existing systems only. Agencies should continue to make use of FIPS 140-2 modules until replacement FIPS 140-3 modules become available.
The two-year interim submission option for validations has greatly ramped up processing of validation submissions, and the automated processing of SP 800-140Br1 formatted submissions will reduce the backlog in the validation process. The table below highlights important changes in the CMVP.
Date | Activity |
|---|---|
September 22, 2020 | CMVP accepts FIPS 140-3 submissions. |
| June 14, 2021 | Last date CSTLs accepted contracts for FIPS 140-2 Scenario 5 and Scenario 3. |
September 22, 2021 | CMVP no longer accepts FIPS 140-2 submissions for new validation certificates. |
| April 1, 2022 | CMVP only accepts FIPS 140-2 reports that do not change the validation sunset date. |
| June 6, 2024 | CMVP initiates two-yearinterim validations for modules submitted before Jan 1, 2024. |
September 21, 2026 | FIPS 140-2 active modules can be used until this date for new systems. After this date, FIPS 140-2 validation certificates will be moved to the Historical List. |
FIPS 140-2 and FIPS 140-3 requirements are applicable to all U.S. Federal agencies. Agencies must use cryptographic-based security systems to provide adequate information security for all operations and assets as defined in 15 U.S.C. § 278g-3.
Non-validated cryptography is viewed as providing no protection to the information or data—in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 or FIPS 140-3 is applicable. In essence, if cryptography is required, then it must be validated. Should the cryptographic module be revoked, use of that module is no longer permitted.
DavidHawes -NIST CMVP Program Manager
[email protected]
KailaiChen -CCCS CMVP Program Manager
[email protected]
Security and Privacy:cryptography,testing & validation
Technologies:hardware,software & firmware
Validated ModulesSearchCaveatsModules In ProcessModules In Process ListImplementation Under Test ListEntropy ValidationsEntropy Source Validation SearchEntropy Validation AnnouncementsESVEntropy Source Validation WorkshopEntropy Validation DocumentsProgrammatic TransitionsCMVP FIPS 140-2 Management ManualCMVP FIPS 140-2 Related ReferencesCMVP FIPS 140-3 Management ManualCMVP FIPS 140-3 Related ReferencesFIPS 140-2 IG AnnouncementsFIPS 140-2 Announcements ArchiveFIPS 140-3 IG and RFG AnnouncementsSP 800-140 Series Supplemental InformationSP 800-140B: CMVP Security Policy RequirementsSP 800-140C: Approved Security FunctionsSP 800-140D: Approved SSP Generation and Establishment MethodsFIPS 140-2 ResourcesFIPS 140-3 ResourcesUse of FIPS 140-3 or FIPS 140-2 Logo and PhrasesCVP Certification Exam InformationNIST Cost Recovery FeesCST Lab Accreditation and FeesArchived NoticesCMVP Validation Process
DavidHawes -NIST CMVP Program Manager
[email protected]
KailaiChen -CCCS CMVP Program Manager
[email protected]
Security and Privacy:cryptography,testing & validation
Technologies:hardware,software & firmware
