Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Supporting Documents for FIPS 140-3 and the Cryptographic Module Validation Program (CMVP) Now Available: NIST Special Publication 800-140x Subseries

NIST has published seven documents in the SP 800-140x subseries--supporting documents for FIPS 140-3 and the Cryptographic Module Validation Program.

NIST Special Publications (SP) 800-140 and -140A through -140F are now available. With the completion of these documents, the Cryptographic Module Validation Program (CMVP) is on track to begin accepting validation submissions for FIPS 140-3 in September 2020.

Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, went into effect on September 22, 2019, permitting CMVP to begin accepting submissions from vendors under the new validation testing scheme in September 2020. The FIPS 140-3 standard introduces some significant changes. Rather than encompassing the module requirements directly, FIPS 140-3 references the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012, which specifies the cryptographic module requirements as well as the associated guidance issued through Annexes. The ISO/IEC 24759 extracts the requirements of ISO/IEC 19790, prescribing the vendor information and lab procedures needed to assure that the requirements are met.

The CMVP validation authority—comprised of the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security—manages FIPS 140-3 validations. With permission granted by ISO/IEC 19790:2012 to validation authorities, the CMVP has created seven documents to manage the seven areas of allowed changes. The SP 800-140x subseries consists of the following:

  • SP 800-140 establishes additional evidence and testing necessary to meet CMVP cryptographic module validation requirements;
  • SP 800-140A updates the minimum vendor evidence to include CMVP-specific vendor requirements;
  • SP 800-140B updates the vendor generated security policy, providing templates to aid in the presentation of security information;
  • SP 800-140C lists the CMVP-approved security functions to be used in approved modes of operation;
  • SP 800-140D lists CMVP-approved sensitive security parameter generation and establishment methods for approved modes of operation;
  • SP 800-140E specifies the CMVP authentication requirements of cryptographic modules; and
  • SP 800-140F specifies non-invasive physical security requirements for modules that support those security measures.

Learn more about:

Released March 20, 2020