Cryptographic Module Validation Program CMVP

The CMVP is offering an interim validation process for module submissions. This interim validation option is voluntary; however, CSTLs must notify CMVP of the vendor's intent prior to 1 Oct 2024.

Vendors do not need to take any action if they would prefer to wait for their full review to be completed to receive full, five-year validation. Vendors who would like to elect the interim validation should follow the process below.

These module submissions will be reviewed for completeness by CMVP staff. If needed, there will be a brief period of Coordination with the CST lab to resolve any questions. Once this step is successfully completed:

• A two-year sunset date (expiration date) will be awarded.
• The ‘Interim Validation" caveat will be added to the certificate validation entry to distinguish them from a full validation (see CMVP Caveats webpage for more information)
• A supplementary follow-up submission, adhering to the SP 800-140Br1 format, may be submitted to the CMVP. This follow-up submission must be received by the CMVP prior to the two-year sunset date for the interim validation to remain on the active list until the completion of the follow-up submission.
• Any non-compliance identified (e.g., during the follow-up review) will be resolved with existing processes and provide the opportunity for a timely resolution prior to moving the validation certificate to the Historical or Revocation lists (see FIPS 140-3 Management Manual 4.8 for more information).
• After a successful review and completion of this follow-up, the "Interim Validation" status will be lifted, and the sunset date will be extended to accommodate an increase from two to five years for the total validation period.
• The validation will be moved to the historical list if the follow-up submission is not received prior to the two-year sunset date.

The interim validation submission must meet the following criteria:

• The vendor must inform the CMVP through their Cryptographic Security Testing (CST) lab if they elect to choose interim validation.
• The requesting CST lab must be in an active status with NVLAP.
• The original submission must have been received by the CMVP prior to 1 Jan 2024, and have not yet been validated.
• The submission must be fully tested and evaluated for conformance to the FIPS 140-3 standard by an active, accredited CST lab.
• The submission much be recommended for validation by the accredited CST lab who performed the testing.
• In addition to the original submission documents, the CST lab must also complete and sign a CMVP-provided requirement checklist.

Changes made on Jan 30, 2024

1. Added: RSADP 2.0, SRTP, ANSI X9.63-2001 KDF, Hash DRBG / HMAC DRBG, and RSASP 2.0.

Changes made on Aug 8, 2023

1. Updated FIPS 186-5 / SP 800-186 to reference the FIPS 140-3 IG and to include the Submission Date based on the publication date of this IG.
2. Updated Footnote 3 to address the scenario when vendor affirmation is not available.

Changes made on Feb 10, 2023

1. Updated FIPS 186-5 / SP 800-186 entry due to the publication of these standards.

Changes made on Jan 26, 2021

1. Changed "TLS 1.3 KDF" ACVTS Prod Date from "Still on Demo" to "January 22, 2021.
2. Changed "TLS 1.3 KDF" Submission Date from "TBD" to "June 30, 2021.

Changes made on Jan 6, 2021

1. "TLS 1.3 KDF" entry, changed "December 31, 2020" to "TBD" since it is still on the DEMO server.
2. Updated footnote 6: "SP 800-90B compliance is required after November 7, 2020 for FIPS 140-2. This entry will be updated once ENT certification becomes available. In addition, this date is applicable to the vetted conditioning components specified in SP 800-90B section 3.1.5.1.1 which must be CAVP tested if implemented as part of an approved SP 800-90B compliant ENT."
3. Added a footnote to "December 31, 2020" for the "KAS or KAS-SSC DLC (FFC or ECC)" entry: "This date is applicable to the Safe Primes Groups as specified in SP 800-56Arev3 Appendix D which must be CAVP tested if implemented as part of an approved SP 800-56Arev3 compliant KAS."
4. Updated footnote 5: "Not all higher-level algorithms support CAVP testing using FIPS 202 functions (e.g. DRBG, DSA, all CVL KDFs besides ANS x9.42, RSA). This date applies to the following higher-level algorithms (unless the algorithm itself has a later transition date) which do support FIPS 202 functions: ECDSA, HKDF, HMAC, KAS/KAS-RSA/SSC (SP 800-56Arev3 and SP 800-56Brev2), KBKDF, ANS x9.42 CVL, PBKDF. This table may need to be updated in the future."

Changes made November 6, 2024

1. Added ENT entry.

Changes made August 8, 2023

1. Updated the non-56Br2 compliant rows per the latest CMVP transition guidance.
2. Added RSA X9.31 within the DSA row as they both have the same scheduled transition. Added IG C.K reference.

Changes made February 10, 2023

1. Added row for AES-CBC-MAC within OTAR.

Changes made January 3, 2023

1. Added footnote [8] for FIPS 186-4 DSA transition.
2. Modified Historical Dates for Triple-DES entry.

Changes made October 21, 2022

1. Added row for FIPS 186-4 DSA transition.
2. Added sentence to footnote [2] on N/A entry.