U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Overview

Welcome to the CMVP

The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. 

Cryptographic and Security Testing (CST) Laboratories are independent laboratories accredited by NVLAP. CST Labs verify each module meets a set of testable cryptographic and security requirements, with each CST laboratory submission reviewed and validated by CMVP.  

The CMVP continues to validate cryptographic modules to Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules until September 21, 2021 without an extension request. On April 1, 2022 CMVP will no longer accept FIPS 140-2 submissions for new validation certificates.

As of September 22, 2020 CMVP additionally began validating cryptographic modules to Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules.

Back to Top


Applicability Of Validated Modules

Modules validated as conforming to FIPS 140-2 will continue to be accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada) through September 22, 2026. After that time CMVP will place the FIPS 140-2 validated modules on the Historical List, allowing agencies to continue using these modules for existing applications only.

FIPS 140-3 submissions for validations are being accepted. Upon validation, modules will be placed on the Active list for 5 years and may be purchased for new and existing applications.

Status of CMVP validation effort

 CMVP is experiencing a significant backlog in the validation process. Use of validated modules currently on the active list is encouraged.

Updated - 06-02-2021

Date

Activity

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 22, 2021

CMVP no longer accepts FIPS 140-2 submissions for new validation certificates unless the vendor is under contract with a CSTL prior to June 15, 2021, the CSTL has submitted an extension request, and the CSTL has received acceptance by the CMVP. 

The CMVP continues to accept FIPS 140-2 reports that do not change the validation sunset date, i.e. Scenarios 1, 1A, 1B, 3A, 3B and 4 from FIPS 140-2 Implementation Guidance G.8.

April 1, 2022 Update! CMVP no longer accepts all FIPS 140-2 submissions for new validation certificates

September 21, 2026

Remaining FIPS 140-2 certificates are moved to the Historical List

Back to Top


Use of Unvalidated Cryptographic Modules by Federal Agencies and Departments

 Unvalidated cryptography is viewed by NIST as providing no protection to the information or data—in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 (until September 22, 2026) or FIPS 140-3 is applicable. In essence, if cryptography is required, then it must be validated. Should the cryptographic module be revoked, use of that module is no longer permitted.

 

Back to Top


Created October 11, 2016, Updated July 01, 2021