Supporting Documents for FIPS 140-3 and the Cryptographic Module Validation Program (CMVP) Now Available: NIST Special Publication 800-140x Subseries

NIST Special Publications (SP) 800-140 and -140A through -140F are now available. With the completion of these documents, the Cryptographic Module Validation Program (CMVP) is on track to begin accepting validation submissions for FIPS 140-3 in September 2020.

Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, went into effect on September 22, 2019, permitting CMVP to begin accepting submissions from vendors under the new validation testing scheme in September 2020. The FIPS 140-3 standard introduces some significant changes. Rather than encompassing the module requirements directly, FIPS 140-3 references the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012, which specifies the cryptographic module requirements as well as the associated guidance issued through Annexes. The ISO/IEC 24759 extracts the requirements of ISO/IEC 19790, prescribing the vendor information and lab procedures needed to assure that the requirements are met.

The CMVP validation authority—comprised of the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security—manages FIPS 140-3 validations. With permission granted by ISO/IEC 19790:2012 to validation authorities, the CMVP has created seven documents to manage the seven areas of allowed changes. The SP 800-140x subseries consists of the following:

SP 800-140 establishes additional evidence and testing necessary to meet CMVP cryptographic module validation requirements;
SP 800-140A updates the minimum vendor evidence to include CMVP-specific vendor requirements;
SP 800-140B updates the vendor generated security policy, providing templates to aid i ..

Support the originator by clicking the read the rest link below.