Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

FIPS 140-3 Management Manual

 

FIPS 140-3 Management Manual - Latest Version (02-29-2024)

The purpose of the CMVP Management Manual is to provide effective lab management and coordination with the management of the CMVP. The CMVP Management Manual includes a description of the CMVP process and is applicable to the Validation Authority, the CST Laboratories, and the vendors who participate in the program.

Consumers who procure validated cryptographic modules may also be interested in the contents of this manual. This manual outlines the management activities and specific responsibilities which have been assigned to the various participating groups. This manual does not deal with the actual standards and technical aspects of the standards.

 

[12-06-2023]

  • Final version (2.0) rather than a draft.

  • Minor revisions to RFG text and template (2.5).

  • New statement on labs responsibility to demonstrate full compliance for approved cryptographic claims, including requirements not covered by CAVP tests (2.6.2).

  • Included Triage text (4.1.1.2).

  • ECR (3.2.8) and HOLD (4.4.3) policies.

  • Clarified what is a permitted change while review pending (4.4.5) and or during Coordination (4.4.6).

  • Small clarifications in the ESV section (4.9).

  • Scenario definitions including introducing limited scenario combinations (and a summary table of permitted combinations in 7.1.15), and regression testing requirements (7.1).

  • Added IG reference to better define “security” as it relates to NSRL (7.1.5) and UPDT (7.1.10).

  • Incorporate remote testing guidance (7.4).

  • Moved Module count definition (7.8) to a CMVP webpage.

 

Created October 11, 2016, Updated April 01, 2024