Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-140B (Initial Public Draft)

CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B

Date Published: October 2019
Comments Due: December 9, 2019 (public comment period is CLOSED)
Email Questions to:


Kim Schaffer (NIST)


NIST has released the following Draft NIST Special Publications (the SP 800-140x “subseries”) for public comment. They directly support Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirement for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP).

  • Draft SP 800-140, FIPS 140-3 Derived Test Requirements (DTR)
  • Draft SP 800-140A, CMVP Documentation Requirements
  • Draft SP 800-140B, CMVP Security Policy Requirements
  • Draft SP 800-140C, CMVP Approved Security Functions
  • Draft SP 800-140D, CMVP Approved Sensitive Parameter Generation and Establishment Methods
  • Draft SP 800-140E, CMVP Approved Authentication Mechanisms
  • Draft SP 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics

Public comments are due December 9, 2019. Also see an overview of the transition to FIPS 140-3.



Cryptographic Module Validation Program; CMVP; FIPS 140 testing; FIPS 140; ISO/IEC 19790; ISO/IEC 2759; testing requirement; vendor evidence; vendor documentation; security policy
Control Families

None selected


Draft SP 800-140B (pdf)

Supplemental Material:
None available

Document History:
10/09/19: SP 800-140B (Draft)
03/20/20: SP 800-140B (Final)


Security and Privacy

cryptography, testing & validation