Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-140B Rev. 1 (2nd Public Draft)

CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B

Date Published: October 17, 2022
Comments Due: December 5, 2022 (public comment period is CLOSED)
Email Questions to:


David Hawes (NIST), Alexander Calis (NIST), Roy Crombie (Canadian Centre for Cyber Security)


The initial public draft introduced four significant changes to NIST SP 800-140B:

  1. Defines a more detailed structure and organization for the Security Policy
  2. Captures Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Builds the Security Policy document as a combination of the subsection information
  4. Generates the approved algorithm table based on lab/vendor selections from the algorithm tests

This second public draft addresses the comments made on the initial draft, including concerns with the structure of the Security Policy and the process for creating it. Appendix B provides details on these changes.

The NIST SP 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790 Annexes and ISO/IEC 24759 as permitted by the validation authority.



Cryptographic Module Validation Program; CMVP; FIPS 140 testing; FIPS 140; ISO/IEC 19790; ISO/IEC 24759; testing requirement; vendor evidence; vendor documentation; security policy
Control Families

None selected


Download URL

Supplemental Material:
Comments received on initial public draft + CMVP responses (pdf)

Document History:
05/12/22: SP 800-140B Rev. 1 (Draft)
10/17/22: SP 800-140B Rev. 1 (Draft)
11/17/23: SP 800-140B Rev. 1 (Final)


Security and Privacy

cryptography, testing & validation