U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Supporting Documents for FIPS 140-3 and the Cryptographic Module Validation Program (CMVP) Now Available: NIST Special Publication 800-140x Subseries
March 20, 2020

NIST Special Publications (SP) 800-140 and -140A through -140F are now available. With the completion of these documents, the Cryptographic Module Validation Program (CMVP) is on track to begin accepting validation submissions for FIPS 140-3 in September 2020.

Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, went into effect on September 22, 2019, permitting CMVP to begin accepting submissions from vendors under the new validation testing scheme in September 2020. The FIPS 140-3 standard introduces some significant changes. Rather than encompassing the module requirements directly, FIPS 140-3 references the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012, which specifies the cryptographic module requirements as well as the associated guidance issued through Annexes. The ISO/IEC 24759 extracts the requirements of ISO/IEC 19790, prescribing the vendor information and lab procedures needed to assure that the requirements are met.

The CMVP validation authority—comprised of the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security—manages FIPS 140-3 validations. With permission granted by ISO/IEC 19790:2012 to validation authorities, the CMVP has created seven documents to manage the seven areas of allowed changes. The SP 800-140x subseries consists of the following:

  • SP 800-140 establishes additional evidence and testing necessary to meet CMVP cryptographic module validation requirements;
  • SP 800-140A updates the minimum vendor evidence to include CMVP-specific vendor requirements;
  • SP 800-140B updates the vendor generated security policy, providing templates to aid in the presentation of security information;
  • SP 800-140C lists the CMVP-approved security functions to be used in approved modes of operation;
  • SP 800-140D lists CMVP-approved sensitive security parameter generation and establishment methods for approved modes of operation;
  • SP 800-140E specifies the CMVP authentication requirements of cryptographic modules; and
  • SP 800-140F specifies non-invasive physical security requirements for modules that support those security measures.

Learn more about:

Related Topics

Security and Privacy: cryptography, testing & validation

Created March 20, 2020, Updated June 22, 2020