Cryptographic Module Validation Program (CMVP) Standards
The Cryptographic Module Validation Program (CMVP) validates commercial cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards such as algorithms. The CMVP is jointly managed by National Institute of Standards and Technology (NIST) and Communications Security Establishment (CSE). Products validated as conforming to FIPS 140-1 or FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Protected Information (Canada).
CSE and NIST have begun the review and update of FIPS 140-2 to keep the standard consistent with current technologies, to incorporate suggestions from federal departments as well as vendors, and to update and strengthen the requirements in key areas of the standard. FIPS 140-3 is expected to include significant changes in the areas of physical and software security, and module assurance. The discovery of new non-invasive attacks will be reflected in the new standard. The standard will also better define and strengthen the requirements for software modules.