NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Frequently Asked Questions (FAQs)

Information including items of interest, programmatic issues and other topics related to the Cryptographic Module Validation Program.

Complete CMVP FAQ Document: PDF (12-04-2007)

The CMVP FAQ is organized to address questions that are of interest to Federal users or procurers of cryptographic modules and to vendors developing cryptographic modules or solutions utilizing embedded cryptographic modules. Following are the eight sections of the FAQ with reference to some of the most frequenetly asked information:

  • Section 1: Overview
    • What is the purpose of the CMVP?
  • Section 2: Introduction to the Cryptographic Module Validation Program
    • 2.1: I am a customer
      • I am looking for a validated module - where do I start?
      • A vendor is selling me a crypto solution - what should I ask?
    • 2.2: I am a vendor
      • 2.2.1: I am a vendor looking for requirements information
        • Can I incorporate another vendor's validated cryptographic module
        • What is the result of loading additional non-validated applications within a FIPS valdiated cryptographic module?
      • 2.2.2: I am a vendor looking for CMT laboratory information
        • How long does it take, and how much does it cost to get my cryptographic module tested?
  • Section 3: General CMVP Information
    • 3.2: Applicability
      • Use of Unvalidated Cryptographic Modules by Federal Agencies and Departments?
    • 3.4: Cryptographic Modle and Cryptographic Algorithm Validation Processes
      • What process does the CMVP follow if informed by 3rd parties regarding module non-compliance issues?
  • Section 4: Standards
  • Section 5: Cryptographic Module Validation
    • 5.1: Cryptographic Module Security Levels
      • What are the different security levels?
      • How do the four security levels of cryptographic modules correlate to the three risk-impact levels required by FIPS 199 and the minimum security controls in FIPS 200 and 800-53?
    • 5.3: FIPS 140-2
      • Does the CMVP validate source code?
      • Does the CMVP validate static libraries?
    • 5.7: FIPS 140-1 and FIPS 140-2 Logos
      • What are the guidelines for the use of the FIPS 140-1 and FIPS 140-2 logos?
      • How can electronic images of the logos be obtained from NIST?
      • The cryptographic module is not a product. Can I use the FIPS logo on product literature?
    • 5.8: Validation list changes
      • How can the validation list be updated for vendor, module name or versioning information changes?
      • How can the valdiation list be updated if the vendors contact information has changed (new address, phone, fax, point-of-contact)?
      • Under FIPS 140-2 IG G.5, software is ported to a new OS: can the valdiation list be updated?
    • 5.9: Validated Certificates
      • If the CMVP validation wed site does not match the posted certificate, which is valid?
  • Section 6: Cryptographic Algorithm Testing
  • Section 7: Revalidation
    • 7.1: When do cryptographic modules need to be revalidated?
  • Section 8: References