Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program (CMVP) Validation Authority Updates: Draft NIST SP 800-140x Subseries Available for Comment

NIST has released the Draft Special Publication (SP) 800-140x subseries for public comment. They directly support FIPS 140-3 and the Cryptographic Module Validation Program (CMVP). Comments are due by December 9, 2019.

Summary

NIST has released the following Draft NIST Special Publications (the SP 800-140x “subseries”) for public comment. They directly support Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirement for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP).

Public comments are due December 9, 2019. Also see an overview of the transition to FIPS 140-3.

 

Background

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019, and becomes effective September 22, 2019.

The new standard introduces some significant changes in the management of the standard. Rather than encompassing the module requirements directly, FIPS 140-3 references International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E). The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E). While there are few major technical requirement changes, the use of the ISO documents requires several procedural changes in the management and execution of the validation process.

The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-3 and other cryptography-based standards. The CMVP is a joint effort between NIST and the Canadian Centre for Cyber Security. Modules validated as conforming to FIPS 140-3 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. CMVP acts as the validation authority entity for conformance to the ISO/IEC Standard.

FIPS 140-3 identifies NIST special publications that modify requirements of ISO/IEC 19790:2012 and ISO/IEC 24759:2017 as allowed by the validation authority, CMVP. Drafts of these SP 800-140x documents are currently available for public comment. Final publication of those documents is expected to occur by March 22, 2020.

The public comment period for these documents ends December 9, 2019. Comments should be submitted to sp800-140-comments [at] nist.gov (subject: Comments%20on%20Draft%20SP%20800-140%20documents) (sp800-140-comments[at]nist[dot]gov). See the links at the top of this announcement for details about each draft document.

Released October 9, 2019, Updated October 28, 2019