FAQs

Jump to:

PROGRAMMATIC

P-1. What is the purpose of the Cryptographic Module Validation Program (CMVP)?

On July 17, 1995, the National Institute of Standards and Technology (NIST) established the CMVP to validate cryptographic modules to Federal Information Processing Standards (FIPS) 140-1 Security Requirements for Cryptographic Modules, and other FIPS cryptography-based standards. FIPS are standards for federal computer systems that are developed by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce in accordance with the Information Technology Management Reform Act of 1996 and Computer Security Act of 1987.

P-2. What is the history of the FIPS 140 standards and the most current version?

FIPS 140-1, Security Requirements for Cryptographic Modules, was published on January 11, 1994. FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001, and superseded FIPS 140-1. On March 22, 2019, FIPS 140-3, Security Requirements for Cryptographic Modules, was published and superseded FIPS 140-2. 

P-3. Is the CMVP a joint program?

The CMVP is a joint effort between NIST and the Canadian Center for Cyber Security (CCCS) of the Government of Canada. Modules validated as conforming to either FIPS 140-2 or FIPS 140-3 are accepted by the Federal Agencies of both countries for the protection of controlled unclassified information. Vendors of cryptographic modules use independent, accredited Cryptographic and Security Testing Laboratories (CSTLs) to test their modules. 

P-4. Is the use of validated cryptography required by U.S. Federal agencies?

FIPS 140-2 and FIPS 140-3 requirements are applicable to all U.S. Federal agencies. Agencies must use cryptographic-based security systems to provide adequate information security for all operations and assets as defined in 15 U.S.C. § 278g-3. Additionally, cryptographic modules must meet the requirements outlined in the FIPS 140 standards in order to comply with the FISMA mandate.

Non-validated cryptography is viewed as providing no protection to the information or data—in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 or FIPS 140-3 is applicable. In essence, if cryptography is required, then it must be validated.

P-5. Which CMVP documents explain the various program processes?  

Please visit FIPS 140-2 Management Manual and FIPS 140-3 Management Manual.

P-6. This Is my first time working with FIPS 140-2 and FIPS 140-3, and the CMVP. What do I need to know?

First, become familiar with the FIPS requirements and the CMVP - a brief description of each is provided in the “What is the history of the FIPS 140 standards and the most current version?” and “What is the purpose of the CMVP?” FAQs above.

The CMVP website provides an overview of the CMVP and how the CMVP addresses the needs of U.S. and Canadian governments. 

P-7. Will patching a FIPS 140 validated module to address a vulnerability (e.g., CVE) invalidate the module?

Please visit "FIPS Validation and Updates, Patches, and CVEs" in the CMVP Process Flow webpage.

P-8. What are the steps involved in the CMVP validation process?  

A flowchart listing the steps to obtain a module validation.

P-9. What is the role of an accredited Cryptographic Security Testing Laboratory (CSTL)?

The role of the CST Laboratories is to test the cryptographic module against all applicable requirements as specified in FIPS 140-2 or FIPS 140-3 and in the cryptographic algorithm standards and record the results. If a cryptographic module conforms to all the functional and assurance requirements as stated in the Derived Test Requirements, the CST laboratory submits a written report to the Validation Authorities. If a cryptographic module does not meet one (or more) requirements, the CST Laboratory will work with the vendor to resolve all discrepancies prior to resubmitting the validation package to the Validation Authorities.

P-10. How do I locate a list of the accredited CSTLs which perform the FIPS conformance testing? 

Please visit Information on CST Lab Accreditation and Fees. Please be advised that the CSTLs charge a fee for the conformance testing.  Fees may vary by laboratory.  Please consult them directly to obtain fee information.  

P-11. How can I become one of the accredited CSTLs?

Please visit Testing Laboratories and NVLAP for the details.

P-12. Where can I locate the fees that NIST charges for a FIPS validation?  

Please visit NIST Cost Recovery Fees.

P-13. Are there any prerequisite validations required by the CMVP validation process?

Yes, cryptographic algorithms approved for use in the modules must first be validated by the Cryptographic Algorithm Validation Program (CAVP), before submitting the module validation to the CMVP.

P-14. What is the role of the vendor?

The role of the vendors is to design and produce cryptographic modules to comply with the functional and assurance requirements specified in the applicable standards. When a cryptographic module is ready for testing, the vendor submits the module and the associated documentation to one of the CSTLs for testing.

P-15. If I am a vendor seeking FIPS 140-3 validation, what should I do?

Work with an accredited CSTL to obtain conformance testing. To find a list of CSTLs, please visit NVLAP Program for Cryptographic Module Testing.

P-16. What is the user’s role?

A user verifies that a cryptographic module they are considering purchasing has been validated and can verify this at Validated Modules. The user should consult the security policy for the cryptographic module to ensure that the module provides the security features that are required by the user.

P-17. Can I incorporate another vendor’s validated cryptographic module in my product?

Yes. A cryptographic module that has already been issued a FIPS 140-2 or FIPS 140-3 validation certificate may be incorporated or embedded into another product. The new product may reference the FIPS 140-2 or FIPS 140-3 validated cryptographic module so long as the new product does not alter the original validated cryptographic module. A product which uses an embedded validated cryptographic module cannot claim itself to be validated; only that it utilizes an embedded validated cryptographic module. In such case, vendors may use the phrase "FIPS 140-[2 or 3] Inside" (see Use of FIPS 140-3 or FIPS 140-2 Logo and Phrases webpage).

There is no assurance that a product is correctly utilizing an embedded validated cryptographic module – this is outside the scope of the FIPS 140-2 or FIPS 140-3 validation.

Note, this FAQ is related to but different from guidance specified in: IG 1.A Binding and Embedding Cryptographic Modules.

P-18. If I use another company’s FIPS 140-3 certified libraries in my product, is my product still considered validated?

A vendor may claim its product to be FIPS 140-3 "compliant" and use the phrase "FIPS 140-[2 or 3] Inside" (see Use of FIPS 140-3 or FIPS 140-2 Logo and Phrases webpage). FIPS 140-3 "compliant" means a vendor believes its product implementation meets the FIPS 140-3 requirements, but the product has not gone through the CMVP validation process. Having a validated product means that it has gone through independent testing conducted by an accredited CSTL and its testing is verified by the CMVP. A validated product will have a CMVP issued certificate number.

P-19. What process does the CMVP follow if informed by 3rd parties regarding module non-compliance issues?

The CMVP will review the information provided for technical merit and specificity. If the information provides specific technical characteristics that appear to question conformance issues of a validated module, the CMVP will sanitize the information and forward it to the Cryptographic Security Testing Laboratory (CSTL) responsible for the module’s compliance testing. The CSTL will review the information for accuracy and merit. If the provided information appears to surface a non-compliance issue, the CSTL and CMVP will review and confirm the non-compliance. Based on the nature of the non-compliance, the CMVP will take necessary actions that may ultimately lead to the removal of the validation certificate from the active list. The CMVP, working with NVLAP, the CSTL accrediting body, will also investigate the CSTLs testing methodologies and follow up with necessary corrective action.

See related information in the FIPS 140-3 Management Manual "Historical or Revoked Validations".

P-20. What is the result of loading additional non-validated applications within a FIPS validated cryptographic module?

Any non-validated applications subsequently loaded and executed within a FIPS 140-2 or FIPS 140-3 validated cryptographic module invalidates the original validation.

STANDARDS/GUIDANCE

SG-1. Where do I find information on the latest FIPS 140 standard (FIPS 140-3) and its associated supplemental information? 

Please visit our websites, CMVP FIPS 140-3 Standards, and SP 800-140 Series Supplemental Information.

SG-2. Where do I find information on FIPS 140-3 Implementation Guidance?  

Please visit FIPS 140-3 IG Announcements.

SG-3. Where can I find additional FIPS 140-3 technical resources?  

Please visit FIPS 140-3 Resources. 

SG-4. I have a question that is not covered by the CMVP published guidance.  How can I get help?   

General correspondence to the NIST CMVP is sent to: cmvp@nist.gov.

Module and compliance specific questions should be discussed between the vendor and labs (CSTLs). If further clarification is needed, please follow Section "2.5 Request for Guidance from CMVP" of the FIPS 140-3 CMVP FIPS 140-3 Management Manual that describes how to submit a Request for Guidance (RFG). In order to support a faster response to your inquiry, please submit non-proprietary RFGs in lieu of proprietary RFGs whenever feasible. 

SG-5. Where can I find information about the upcoming programmatic transitions?  

Please visit Programmatic Transitions.

SG-6.  If a module supports an industry protocol, is the protocol itself tested by the CAVP and/or CMVP? 

No, neither the CAVP nor the CMVP tests the industry protocol’s compliance to the applicable industry standard, but their underlying approved algorithms are tested to the applicable algorithm standards by the CAVP and incorporated into services that are part of the CMVP validation.

SG-7. What is the difference between “Compliant”, “Certified” and “Validated”?

The correct the term is validated. If a vendor is making a claim of compliance, conformance or certification to the FIPS 140 standards, request the associated validation certificate number. For a list of all the CMVP validated modules, please visit Validated Modules.

SG-8. How can a cryptographic module’s validation be verified?

To verify a cryptographic module, please visit Validated Modules.

When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution and reference the modules validation certificate number. The information on the CMVP validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution. Each entry will state what version/part number/release is validated, and the operational environment (if applicable) the module has been validated. For a validated module that is a software or firmware module, guidance on how the module can be ported to similar operational environments while maintaining the validation can be found in the FIPS 140-2 Implementation Guidance or in the FIPS 140-3 Management Manual.

CMVP LISTS  

CL-1. Where can I find a searchable list of FIPS 140-2 and FIPS 140-3 validated modules?

Please visit Validated Modules.

CL-2. What is the difference between the Basic and Advanced search?

The Basic search returns all the currently active validations starting with the most recent validation.   

The advanced search feature allows a user to search on specific fields related to the validation (e.g. module name, vendor name, certificate number, security level, FIPS standard).

CL-3. What is an active module?

This module meets the requirements of either the FIPS 140-2 or FIPS 140-3 standard as annotated on the CMVP validation entry.  This is the default status for all newly validated modules.

CL-4. Which modules are on the active list? 

FIPS 140-1 validated modules are no longer on the active list. FIPS 140-2 validated modules will remain on the active list through September 21, 2026. On September 22, 2026, only FIPS 140-3 module validations will remain on the active list. 

CL-5. Where can I find a list of the active modules? 

There are two methods to find the list of active modules.  The first method is select the Basic search which returns all active modules with the most recent validation appearing first.  

The second method is to select the Advanced search and select Validation Status: Active and select either Standard: FIPS 140-2 or FIPS 140-3 as applicable. 

CL-7. I have a certificate number for a validated module.  How do I find that validation entry? 

Select Basic or Advanced search option and enter the Certificate number in the searchable field. 

Please note that the Validation Status defaults to the active list in this search.  The historical and revoked lists can also be selected. 

CL-8. What is a historical module?  

If a validation certificate is marked as  historical, this does not mean that the overall FIPS-140 certificate for this module has been revoked, rather it indicates that the certificate and the documentation posted with it is either more than 5 years old, or that it was moved to the historical list because of programmatic transitions. In these cases, the certificates have not been updated to reflect latest guidance and/or transitions and may not accurately reflect how the module can be used in FIPS/approved mode.  

For more detail, please visit Information About Historical Modules and related information in the FIPS 140-3 Management Manual.

CL-9. Where can I find a list of historical modules? 

Historical modules can be located at Validated Modules, using the Advanced search function.  In the dropdown field for “Validation Status”, select Historical, and click on “Search”.

CL-10. What is a revoked module?

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to the 140 standards. 

For more information on Revoked validations, please review related information in the FIPS 140-3 Management Manual.

CL-11. Where can I find a list of revoked modules? 

Revoked modules can be located using the Advanced search function at Validated Modules. In the dropdown field for “Validation Status”, select Revoked and click on “Search”

CL-12. What is the sunset date on the validation entry?

The Sunset date indicates the date that the module will be removed from the active list. Being removed from the active list indicates that the certificate and the documentation posted with it is more than 5 years old, no longer meets the current guidance, or failed to meet the new requirements of a programmatic transition. For more detail, please visit Validated Modules.

CL-13. After searching the validation lists, I can’t find the vendor’s product.  What do I do? 

It is important to note that validation certificates are issued for cryptographic modules. A module may either be an embedded component of a product or application, or a complete product in and of itself. If the cryptographic module is a component of a larger product or application, one should contact the product or application vendor in order to determine what products utilize an embedded validated cryptographic module. There are inevitably a larger number of security products available which use a validated cryptographic module than the number of modules which are found in this list. In addition, it is possible that other vendors, who are not found in this list, might incorporate a validated cryptographic module from this list into their own products. 

CL-14. Where can I find a list of modules that have been submitted to the CMVP but have not yet been validated? 

This list of the submitted modules is in the Modules In Process List. At the bottom of the list, there are two categories, "Displayed" and "Not Displayed", along with the totals for each.  Vendors have the option to exclude their modules from this list, and those excluded modules are categorized under "Not Displayed". 

Currently, for FIPS 140-3 submissions, only the FS (full submission) and UPDT (update) scenarios are tracked on the MIP list.  See Section 7.1 of the CMVP Management Manual for a description of all the submission scenarios.

CL-15. Where can I locate an explanation of the status information displayed on the MIP list?

The various stages of the validation process are described at CMVP Validation Process.

CL-16. What is the IUT list? 

The IUT list is provided as a marketing service for vendors who have a viable contract with an accredited laboratory for the testing of a cryptographic module, and the module and required documentation is resident at the laboratory.  Inclusion on this list is voluntary.  The CMVP does not have detailed information about the specific cryptographic module or when the test report will be submitted to the CMVP for validation. When the lab submits the test report to the CMVP, the module will transition from the IUT list to the MIP list. If you would like more information about a specific cryptographic module or its schedule, please contact the vendor. 

CL-17. Where can I find the IUT list? 

Please visit Implementation Under Test List. 

CL-18. What should I do if I need to validate an Entropy Source?

Please visit Entropy Validations.

CL-19. Where can I locate the list of the validated Entropy Source validations?

Please visit Entropy Source Validation Search.

FIPS LOGOS

FL-1. What are the guidelines for using the FIPS 140-2 and FIPS 140-3 logos?  

Guidance on Use of FIPS 140-2 and FIPS 140-3 Logo.

FL-2. How do I obtain the artwork for these logos? 

Please complete the FIPS 140-2 or FIPS 140-3 logo form located at the link above and submit the completed form to cmvp@nist.gov. Please note that the FIPS 140 logos are a trademark of NIST and improper usage will be reported.

Project Links

Overview FAQs News & Updates Publications

Additional Pages

Validated Modules Search Caveats Modules In Process Modules In Process List Implementation Under Test List Entropy Validations Entropy Source Validation Search Entropy Validation Announcements ESV Entropy Source Validation Workshop Entropy Validation Documents Programmatic Transitions CMVP FIPS 140-2 Management Manual CMVP FIPS 140-2 Related References CMVP FIPS 140-3 Management Manual CMVP FIPS 140-3 Related References FIPS 140-2 IG Announcements FIPS 140-2 Announcements Archive FIPS 140-3 IG and RFG Announcements SP 800-140 Series Supplemental Information SP 800-140B: CMVP Security Policy Requirements SP 800-140C: Approved Security Functions SP 800-140D: Approved SSP Generation and Establishment Methods FIPS 140-2 Resources FIPS 140-3 Resources Use of FIPS 140-3 or FIPS 140-2 Logo and Phrases CVP Certification Exam Information NIST Cost Recovery Fees CST Lab Accreditation and Fees Archived Notices CMVP Validation Process

Contacts

DavidHawes - NIST CMVP Program Manager
cmvp@nist.gov

KailaiChen - CCCS CMVP Program Manager
CMVP@cyber.gc.ca

Cryptographic Module Validation Program CMVP

Project Links

FAQs

PROGRAMMATIC

STANDARDS/GUIDANCE

CMVP LISTS

FIPS LOGOS

Project Links

Additional Pages

Contacts

Group

Topics

Related Projects

Additional Pages

Contacts

Group

Topics

Related Projects

CMVP LISTS  