FIPS 140-2 The Next Generation (The Cryptographic Module Validation Program)
Stanley R. Snouffer
On July 17, 1995, NIST established the Cryptographic Module Validation Program (CMVP) which validates cryptographic modules to Federal Information Processing Standard FIPS 140-1 (Security Requirements for Cryptographic Modules), and other FIPS cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada. Products validated as conforming to FIPS 140-1 are accepted by the Federal agencies of both countries for the protection of sensitive information. The NIST's Computer Security Division together with CSE, serve as the validation authorities for the program. In the CMVP, vendors of cryptographic modules use independent, accredited testing laboratories to test their modules. Currently, there are four National Voluntary Laboratory Accreditation Program (NVLAP) accredited laboratories that perform FIPS 140-1 compliance testing; three in the U.S. and one in Canada. Since the inception of the program, the number of validated modules has nearly doubled each year. As of August 2000 over 100 cryptographic modules from more than forty separate vendors have been validated through the program. The standard is officially reexamined and reaffirmed every five years. In the Fall of 1998 FIPS 140-1 entered a regularly scheduled 5-year review to consider new and/or revised requirements needed to meet technological and economic change. A request for comments on FIPS 140-1 was published on October 23, 1998 in the Federal Register. A revised draft standard was produced based on the public comments received, previously issued implementation guidance and a line by line review by the NIST, CSE, and testing laboratory staff. A second request for comments on the resulting FIPS 140-2 draft was published on November 17 in the Federal Register. Completion of the FIPS 140-1 update to FIPS 140-2 is anticipated in September. This paper is gives an overview of the substantive differences between FIPS 140-2 and FIPS 140-1.
Department of Defense: IA Newsletter
cryprography, cryptographic modules, FIPS 140-1, FIPS 140-2, security
FIPS 140-2 The Next Generation (The Cryptographic Module Validation Program), Department of Defense: IA Newsletter
(Accessed June 3, 2023)