Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-140B Rev. 1 (Initial Public Draft)

CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B

Date Published: May 12, 2022
Comments Due: July 12, 2022 (public comment period is CLOSED)
Email Questions to:


David Hawes (NIST), Alexander Calis (NIST), Roy Crombie (Canadian Centre for Cyber Security)


This draft introduces four significant changes to NIST SP 800-140B:

  1. Defines a more detailed structure and organization for the Security Policy
  2. Captures Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Builds the Security Policy document as a combination of the subsection information
  4. Generates the approved algorithm table based on lab/vendor selections from the algorithm tests

The NIST SP 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790 Annexes and ISO/IEC 24759 as permitted by the validation authority.



Cryptographic Module Validation Program; CMVP; FIPS 140 testing; FIPS 140; ISO/IEC 19790; ISO/IEC 24759; testing requirement; vendor evidence; vendor documentation; security policy
Control Families

None selected


Download URL

Supplemental Material:
Comments received + CMVP responses (pdf)

Document History:
05/12/22: SP 800-140B Rev. 1 (Draft)
10/17/22: SP 800-140B Rev. 1 (Draft)
11/17/23: SP 800-140B Rev. 1 (Final)


Security and Privacy

cryptography, testing & validation