NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met.
An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).
Annex A: Approved Security Functions [ PDF 10-12-2021]
Annex B: Approved Protection Profiles [ PDF 06-10-2019]
Annex C: Approved Random Number Generators [ PDF 10-12-2021]
Annex D: Approved Key Establishment Techniques [ PDF 10-12-2021]
Cryptographic module validation testing is performed using the Derived Test Requirements [DTR] for FIPS PUB 140-2, Security Requirements for Cryptographic Modules [PDF]. The DTR lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories.
NIST and CSE have developed an Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [PDF] document for cryptographic module users, vendors and testing laboratories. This is intended to provide clarifications of CMVP programmatic guidance, FIPS 140-2, FIPS 140-2 Derived Test Requirements, testing guidance, and guidance related to the implementation of Approved or non-Approved security functions.