Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

SP 800-140B: CMVP Security Policy Requirements

Short URL:

This page provides information related to preparing, submitting, coordinating, and finalizing a module for the CMVP. These are the how-to processes and procedures used at the point a CMVP lab has completed testing and is ready to create and submit the package.


Module Information Structure (MIS) Resources

To facilitate automated verification and processing of the modules, much of the information needs to be submitted in a structured and organized format. The CMVP uses JSON as the submission format to provide a mechanism for receiving this structured data. The information below describes the JSON structure and programs the CMVP provides to create and verify the JSON. This JSON file is referred to as the MIS.

Important Note: Because of the potential of changes in the _module.json schema related to different versions of Web Cryptik Br1, it is important to use the ModVerifyApp program to Select, Load and Update, and Save previously generated _module.json files before importing them into Web Cryptik Br1. Web Cryptik is not able to upgrade schema and even with editing and saving, will perpetuate schema errors into newer versions.

Security Policy

The Security Policy is one of the required documents. To eliminate duplication of information and the need to verify two separate sources, several fields and tables within the Security Policy are populated with information by the CMVP after the module package is submitted. The field and table information source is the MIS. The other information is entered by the vendor into a copy of the CMVP supplied Microsoft Word template document (link below). This completed template is merged with the MIS fields and tables to produce the final Security Policy. The CMVP has provided a program (link below) that performs that information merge so that the vendors and labs can see what the final Security Policy will look like.


Process Support Applications

Submission, Coordination, and Finalization

See current guidance in the CMVP Management Manual and Web Cryptik User's Guide (above).

Template Documents Used in Package Submission


Module Process

Created October 11, 2016, Updated July 10, 2024