Search CSRC

This page focuses on the progress of transitioning cryptographic module security standards and associated documents from FIPS 140-2 to FIPS 140-3.  The process includes organizational, procedural and the resultant automated processing changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  The procedural changes include the migration from internally developed security standards to the additional activities of working with a set of standards developed and maintained by an international body,...

Overview of the Documentation and Governance for the FIPS 140-3 Cryptographic Module Validation Program Federal Information Processing Standards Publication (FIPS) 140-3 became effective September 22, 2019, permitting CMVP to begin accepting validation submissions under the new scheme beginning September 2020. The FIPS 140-3 standard introduces some significant changes in the management over the previous standard. Rather than encompassing the module requirements directly, FIPS 140-3 references  International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)...

The FISSEA Contest will begin on May 3rd, 2021. Submissions are due June 30th, 2021 View the list of previous contest winners from the past conferences. Contest Entry Form Showcase one or all of the following awareness, training, and/or education items you use as a part of your Security program. Please do not use this contest as a project assignment for a class. There will be one winner selected for each category listed below. Categories: Awareness Poster. Innovative Solutions – A cutting-edge solution to help solve current cybersecurity training and awareness challenges that DOES NOT...

Nomination Information: Each year at the annual conference, FISSEA recognizes an individual who has made significant contributions in inspiring the strategic planning, building, and management of innovative cybersecurity awareness and training programs. Nominees may be involved in any aspect of cybersecurity awareness and training, including, but not limited to; cyber instructional curriculum developers, cybersecurity instructors, cybersecurity program managers, workforce development managers, and practitioners who further awareness and training activities or programs. Nominees can come...

Contest Winners for 2020: Winners (selected by impartial judging committee prior to conference): Poster: Deborah Coleman, U.S. Department of Education Motivational Item: United States Postal Service, CISO Website: IHS OIT Division of Information Security Newsletter: National Institutes of Health – Cyber Safety Awareness Campaign Video: CMS/OIT Information Security & Privacy Group (ISPG) Blog: Cofense Podcast: CMS/OIT Information Security & Privacy Group (ISPG) Security Training Scenarios: Media Pro Contest Winners for 2019: Winners (selected by impartial judging...

2019: Shehzad Mirza, Director of Operations – Global Cyber Alliance 2018: Earl “Fred” Bisel Jr, Cybersecurity Education and Certification Readiness Facilities (CERF) Manager Nomination Letter for 2018 EOY Award 2017: Mike Petock, All Native Group (ANG) Nomination Letter for 2017 EOY Award 2016: Sushil Jajodia, George Mason University Nomination Letter for 2016 EOY Award 2015: Gretchen Ann Morris, DB Consulting/NASA John H. Glenn Research Center Nomination Letter for 2015 EOY Award 2014: Shon Harris, Logical Security, presented posthumously  Nomination Letters for 2014 EOY Award...

SIMfill -- SIMfill is a java application that populates Subscriber Identity Modules (SIMs) with reference data and can be used to assess the data recovery capabilities of forensic SIM tools. The package includes an initial set of reference data for use with SIMfill, the source and compiled code, a readme file, a user's guide, and a video demonstration. Download the zipped file for SIMfill. (File UPDATED May 3, 2010).

The Electronic Evidence Information Center is a compilation of resources pertaining to the field of digital forensics with a specialization in mobile devices. Mobile and PDA Forensics provides links to journal articles, publications, presentations, and books pertaining to the field of mobile device forensics. Phone Forensics is a website that has been developed for mobile phone forensic practitioners by practitioners. Phone Forensics Group provides users with training, procedures, software, hardware, solutions and best forensic practices through a Yahoo mail group.

Linux Devices.com is a comprehensive webpage with information on current open source coding projects for linux systems, quick references to Linux code in different programming languages, and user/developer forums. Handhelds.org has quick links to every aspect of programming on PDAs. The site features "How to" files, open source code, Linux release downloads, and easy references to many other resources. Also at Handhelds.org is the new Linux Familiar release. Familiar now features a multi-user capacity for Linux based PDAs. For information on the known security issues on Palm powered PDAs...

The UMBC Agent Web has information and resources about intelligent information agents, intentional agents, software agents, softbots, knowbots, infobots, etc. The Mobile Agent Security Bibliography contains a good collection of reference manuscripts on mobile agent security maintained by the developers of Mole. The Annotated Bibliography on Mobile Agent Security contains another collection of references and links to mobile agent security documents organized under various themes. The Mobility Mailing list has been set up to discuss all things pertaining to mobile code, objects, agents and...

[01-30-17] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS21.2). The following modifications have been made: CAVS would become unresponsive if Modify New Submission was selected several times. This has been corrected. On the Modify New Submission screen, some words were not displayed fully. This has been corrected. The algorithm validation numbers are now checked to assure they are numeric. If they are not, an error message is displayed. When preparing change request, if any information was updated EXCEPT the implementation type...

July [07-06-16]--Updated Triple DES sample files to remove encrypytion with keying option 2 and to correct the values for OFB-I Monte Carlo. [07-06-16]--New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS20.2). The following modifications have been made: Corrected bug in TDES OFB-I Monte Carlo test. KAS ECC values were reported for keys shorter than expected. Corrected. KAS FFC Header [HMAC SHAs supported was missing ending]. Corrected. KAS ECC Header when EE parameter set selected [SHA(s) supported (Used in the KDF function): was missing...

December [12-29-15]--New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS18.0). Contains changes to the testable functions in some of the approved cryptographic algorithms to reflect the transition to the use of stronger cryptographic keys and more robust algorithms (as recommended in NIST SP800-131A Revision 1 Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths) effective January 1, 2016. It also includes several corrections to existing bugs. The following changes have been made : SP800-131A Revision 1...

December [12-23-14] -- Updated SP800-56A Key Agreement Schemes (KAS) Test Vectors. [12-8-14] -- CAVP request that CST Laboratories assure the accuracy of the vendor and implementation information given for cryptographic algorithm implementation validation requests; i.e., Vendor URL, etc. [12-8-14] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS17.4). The following modifications have been made: SP800-38F:A  Error corrected in authenticatedDecryptionTest SP800-135: IKEv2 minimum for nonce and payload should be 128 bits instead of 64 bits...

December [12-12-13] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS16.0). contains changes to the testable functions in some of the approved cryptographic algorithms to reflect the transition to the use of stronger cryptographic keys and more robust algorithms (as recommended in NIST SP800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths) effective January 1, 2014. The following changes have been made : DSA (Refers to FIPS 186-2) Removed DSA tab. PQG Generation, Key Pair Generation, and...

December [12-18-12] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS14.2). This version of the CAVS tool addresses minor updates: KAS ECCCDH Primitive Component: Modified code that creates txt file for website to include IUT's private key in the file. KAS ECCCDH Primitive Component: ECCCDH Primitive Verify was erroneously requiring SHA as a prerequisite. ECCCDH Primitive Compoent testing does not require any prerequisites. This has been corrected. KASECC: Changed the IDD-KASPREREQUISITESECC screen. Indicates that ECDSA PKV is not needed...

[09-8-11] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS11.5). This version of the CAVS tool addresses: 186-3 RSA - Corrected bug in file formatting of RSA Key Generation using Random Primes that are Probably Prime (B.3.3) that was causing the verification of the file to fail. In 186-3 RSA Signature Verification, added the ability for the IUT to indicate they only support fixed pubic key e values. If they indicate they only support fixed public key values, they must enter at least one value for the public key. They may enter up to 2 values to be...

[06-07-10] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS10.1). This version of the CAVS tool addresses a correction to the Key Agreement Schemes ECC with No Key Confirmation (KAS ECC No KC) screen. (When parameter set EA was selected, the radio button for the curve size would only allow P-192 to be selected.) This has been corrected. The transition period ends September 7, 2010. As has been the policy in the past: EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, 186-2 DSA, SHA, RNG, RSA, HMAC, CCM, 186-2...

September [09-17-09] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS8.1). This version of the CAVS tool addresses several minor modifications and enhancements to CAVS including the Addition of a cover letter template, the addition of more efficient elliptic curve routines for NIST binary (e.g.., B-163 and K-571) curves, and the modification of several minor issues. The transition period ends December 17, 2009. As has been the policy in the past: EFFECTIVE IMMEDIATELYA on any new validation requests for implementations of TDES, AES, DSA,...

[12-24-2008] -- New release of the CAVS algorithm validation testing tool to the CMT Laboratories (CAVS7.0). Version 7.0 of the CAVS tool adds testing for NIST SP 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography and NIST SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. In addition, file formating changes have been made to the CCM Decrypt-Verification Process Test. The transition period ends March 24, 2009. As has been the policy in the past: For any algorithm validation request where...

2007 [11-15-2007] -- New release of the CAVS algorithm validation testing tool to the CMT Laboratories (CAVS6.0). Verison 6.0 of the CAVS tool adds testing for NIST SP 800-90 Deterministic Random Bit Generators. The transition period ends February 15, 2008. As has been the policy in the past: For any algorithm validation request where a lab has used a previous version of CAVS to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through February 15, 2008. The tool used to generate the files must be used to...

Algorithm Specifications Algorithm specifications for Key Agreement Schemes and Key Confirmation (SP800-56A) are available from the Cryptographic Toolkit. Algorithm Validation Testing Requirements The algorithm validation testing requirements for SP 800-56A are specified in: The KAS Validation System (KASVS) Testing Notes Prerequisites for KAS testing are listed in the CAVP Frequently Asked Questions (CAVP FAQ) General Question GEN.5. Test Vectors Use of these test vectors does not replace validation obtained through the CAVP. The test vectors linked below can be used...

The MIP list contains cryptographic modules on which the CMVP is actively working. For a module to transition from Review Pending to In Review, the lab must first pay the NIST Cost Recovery fee, and then the report will be assigned as resources become available. The validation process is a joint effort between the CMVP, the laboratory and the vendor and therefore, for any given module, the action to respond could reside with the CMVP, the lab or the vendor. This list does not provide granularity into which entity has the action. If you would like more information for a specific cryptographic...

The IUT list is provided as a marketing service for vendors who have a viable contract with an accredited laboratory for the testing of a cryptographic module. The CMVP does not have detailed information about the specific cryptographic module or when the test report will be submitted to the CMVP for validation. When the lab submits the test report to the CMVP, the module will transition from the IUT list to the MIP list. If you would like more information about a specific cryptographic module or its schedule, please contact the vendor.  

2016 [Updated 12-19-2016] -- Module Drop Policy Effective July 1, 2017, the CMVP will automatically drop modules in IUT after 18 months. Effective January 1, 2018, the CMVP will drop modules that have not been validated within 2 years of submission or IUTB, whichever occurred first. When the module is dropped, the vendor and lab will have to restart the validation process by sending an updated submission and paying a new cost recovery fee at the current rate. [Updated 06-01-2016][11-12-2015] -- Validation Sunsetting Policy The CMVP is adopting a five year validation...