Cryptographic Module Validation Program
Cryptographic Module Validation Program CMVP
FIPS 140-3 IG Announcements
- 2.4.C Approved Security Service Indicator
- 9.7.B Indicator of Zeroization
- 10.3.C Conditional Manual Entry Self-Test Requirements
- 11.A CVE Management
- 12.A Mitigation of Other Attacks
- D.O Combining Entropy from Multiple Sources
- 3.4.A Trusted Channel – clarified in the last bullet in Resolution 2 that the operator must stay in control over the physical path and prevent any unauthorized tampering.
- 4.1.A Authorised Roles - Clarified the requirements of the text “or other services that do not affect the security of the module”.
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Updated to remain consistent with FIPS 140-2 IG 9.4. Also, clarified self-test rules around the PBKDF Iteration Count parameter.
- C.H Key/IV Pair Uniqueness Requirements from SP 800-38D - Removed Scenario 2’s second and fourth bullets and added the reasoning as Additional Comment #4.
- D.F Key Agreement Methods - Removed Additional Comment 10 since SP 800-56Arev3 testing is available and therefore vendor affirming to this standard is not permitted.
- D.G Key Transport Methods - Added “if applicable” for key confirmation under the first approved method.
- D.J Entropy Estimation and Compliance with SP 800-90B - Updated to align ENT references with that of IG D.O.
The first release of the FIPS 140-3 Implementation Guidance document was published on September 21, 2020. This release incorporates 41 IGs, down from the 104 IGs currently in FIPS 140-2 IG document. Many of the IGs were no longer required as they were incorporated into ISO/IEC 19790, ISO/IEC 24759, and the SP 800-140x documents. Many thanks to those who helped identify, draft, review, and publish this new CMVP document.
Created October 11, 2016, Updated June 16, 2021