Frequently Asked Questions (FAQs)
Information including items of interest, programmatic
issues and other topics related to the Cryptographic Module Validation
Program.
Complete CMVP FAQ Document: PDF
(12-04-2007)
The CMVP FAQ is organized to address questions that are of interest
to Federal users or procurers of cryptographic modules and to vendors
developing cryptographic modules or solutions utilizing embedded cryptographic
modules. Following are the eight sections of the FAQ with reference
to some of the most frequenetly asked information:
- Section 1: Overview
- What is the purpose of the CMVP?
- Section 2: Introduction to the Cryptographic Module Validation
Program
- 2.1: I am a customer
- I am looking for a validated module - where do I start?
- A vendor is selling me a crypto solution - what should I ask?
- 2.2: I am a vendor
- 2.2.1: I am a vendor looking for requirements information
- Can I incorporate another vendor's validated cryptographic
module
- What is the result of loading additional non-validated applications
within a FIPS valdiated cryptographic module?
- 2.2.2: I am a vendor looking for CMT laboratory information
- How long does it take, and how much does it cost to get my
cryptographic module tested?
- Section 3: General CMVP Information
- 3.2: Applicability
- Use of Unvalidated Cryptographic Modules by Federal Agencies
and Departments?
- 3.4: Cryptographic Modle and Cryptographic Algorithm Validation
Processes
- What process does the CMVP follow if informed by 3rd parties
regarding module non-compliance issues?
- Section 4: Standards
- Section 5: Cryptographic Module Validation
- 5.1: Cryptographic Module Security Levels
- What are the different security levels?
- How do the four security levels of cryptographic modules correlate
to the three risk-impact levels required by FIPS 199 and the minimum
security controls in FIPS 200 and 800-53?
- 5.3: FIPS 140-2
- Does the CMVP validate source code?
- Does the CMVP validate static libraries?
- 5.7: FIPS 140-1 and FIPS 140-2 Logos
- What are the guidelines for the use of the FIPS 140-1 and
FIPS 140-2 logos?
- How can electronic images of the logos be obtained from NIST?
- The cryptographic module is not a product. Can I use the FIPS
logo on product literature?
- 5.8: Validation list changes
- How can the validation list be updated for vendor, module
name or versioning information changes?
- How can the valdiation list be updated if the vendors contact
information has changed (new address, phone, fax, point-of-contact)?
- Under FIPS 140-2 IG G.5, software is ported to a new OS: can
the valdiation list be updated?
- 5.9: Validated Certificates
- If the CMVP validation wed site does not match the posted certificate,
which is valid?
- Section 6: Cryptographic Algorithm Testing
- Section 7: Revalidation
- 7.1: When do cryptographic modules need to be revalidated?
- Section 8: References