Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

This is an archive
(replace .gov by .rip)

Cryptographic Module Validation Program

Project Links

Standards

This page provides information about the Cryptographic Modules Standards.

FIPS 140-2 (effective 15-Nov-2001)

Security Requirements for Cryptographic Modules

NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address).

FIPS 140-2 Annexes:

Annex A: Approved Security Functions [ PDF 01-10-2018]
Annex B: Approved Protection Profiles [ PDF 12-21-2016]
Annex C: Approved Random Number Generators [ PDF 01-04-2016]
Annex D: Approved Key Establishment Techniques [ PDF 05-10-2017]

Testing Requirements:

Cryptographic module validation testing is performed using the Derived Test Requirements [DTR] for FIPS PUB 140-2, Security Requirements for Cryptographic Modules [PDF]. The DTR lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories.

Implementation Guidance:

NIST and CSE have developed an Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [PDF] document for cryptographic module users, vendors and testing laboratories. This is intended to provide clarifications of CMVP programmatic guidance, FIPS 140-2, FIPS 140-2 Derived Test Requirements, testing guidance, and guidance related to the implementation of Approved or non-Approved security functions.

Other Information:

  • FIPS 140-2 was signed on May 25, 2001 and became effective November 15, 2001 when Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules was published.
  • The CMVP accepted test reports from CST laboratories against either FIPS 140-1 or FIPS 140-2 and the applicable DTR from November 15, 2001 to May 25, 2002 when the transition period ended.
  • Since May 25, 2002, the CMVP has only accepted test reports against FIPS 140-2.

Back To Top


International Standards

ISO/IEC 19790 Information technology - Security techniques - Security requirements for cryptographic modules

ISO/IEC 19790 1st Edition was published 2006-03-01

ISO/IEC 19790 2nd Edition was published 2012-08-15

It was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 19790 1st Edition was derived from FIPS 140-2, Security Requirements for Cryptographic Modules.

The CMVP does not validate cryptographic modules tested for conformance to ISO/IEC 19790. The CMVP is studying the adoption of this International Standard as the revision of FIPS 140-2.

Copies of ISO/IEC 19790 may be obtained at www.iso.org or www.ansi.org

ISO/IEC 24759 Information technology - Security techniques - Test requirements for cryptographic modules

ISO/IEC 24759 1st Edition was published 2008-07-01.

ISO/IEC 24759 2nd Edition was published 2014-01-31.

It was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 24759 1st Edition was derived from NIST's Derived Test Requirements for FIPS PUB 140-2,Security Requirements for Cryptographic Modules.

Copies of ISO/IEC 24759 may be obtained at www.iso.org or www.ansi.org

Created October 11, 2016, Updated October 04, 2018