U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

SP 800-140B: CMVP Security Policy Requirements

Short URL: https://csrc.nist.gov/projects/cmvp/sp800-140b

This page provides information related to preparing, submitting, coordinating, and finalizing a module for the CMVP. These are the how-to processes and procedures used at the point a CMVP lab has completed testing and is ready to create and submit the package.

NOTE: Implementation of these new processes is currently in the pilot project phase. The information below is being updated frequently with the latest document versions as they become available.


Module Information Structure (MIS) Resources

To facilitate automated verification and processing of the modules, much of the information needs to be submitted in a structured and organized format. The CMVP uses JSON as the submission format to provide a mechanism for receiving this structured data. The information below describes the JSON structure and programs the CMVP provides to create and verify the JSON. This JSON file is referred to as the MIS.


Security Policy

The Security Policy is one of the required documents. To eliminate duplication of information and the need to verify two separate sources, several fields and tables within the Security Policy are populated with information by the CMVP after the module package is submitted. The field and table information source is the MIS. The other information is entered by the vendor into a copy of the CMVP supplied Microsoft Word template document (link below). This completed template is merged with the MIS fields and tables to produce the final Security Policy. The CMVP has provided a program (link below) that performs that information merge so that the vendors and labs can see what the final Security Policy will look like.


Process Support Applications

  • Web-Cryptik (Under Revision)
    • MIS Creation, Editing, Verifying
    • TR Creation, Editing, Verifying
  • Security Policy Builder
  • MIS Verifier

Submission, Coordination, and Finalization

See current guidance in the CMVP Management Manual and Web Cryptik User's Guide (available through the Web Cryptik application).


Module Process

Created October 11, 2016, Updated November 29, 2023