Cryptographic Module Validation Program (CMVP)

Cryptography is notoriously difficult to implement correctly and securely, so the Cyber Centre relies on the Cryptographic Module Validation Program (CMVP) to certify IT products that are ready for procurement. The CMVP is particularly relevant to those in organizations who purchase IT products.

The CMVP validates the cryptographic modules (the parts of systems that implement cryptography) that are part of IT products against the Federal Information Processing Standard (FIPS) 140 standard, as well certain other cryptographic standards. Procuring and deploying a FIPS-validated product ensures the vendor implemented the product correctly, and that it follows Cyber Centre-recommended security best practices for cryptography. Note that the CMVP is in the process of migrating to the new FIPS 140-3 standard. Testing against this standard will start in September 2020.

FIPS 140-3 is an ISO based standard (ISO/IEC 19790:2012) that introduces updated requirements in areas including module authentication, service definitions and indicators, and key management.

About the CMVP

The Cyber Centre jointly manages the Cryptographic Module Validation Program (CMVP) with the United States National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. The Cyber Centre is the Canadian certification authority.

Products validated as conforming to FIPS 140-2 or FIPS 140-3 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Protected Information (Canada).

For vendors

Vendors seeking CMVP validation for their products should contact an accredited testing laboratory.

Using the following search terms will narrow the search to just CMVP accredited labs:

  • Program ITST: Cryptographic and Security Testing
  • Area of Accreditation: Basic Cryptographic and Security Testing

For system architects

The Cyber Centre recommends only using only CMVP validated products when system architectures include cryptography. Using CMVP-validated products ensures that when information is encrypted, it happens with an approved algorithm, with keys that have been generated or derived in an approved manner, using an approved strength, in both length and randomness. The Cyber Centre considers using unvalidated cryptography as providing no protection to the information; in other words, it is equivalent to plaintext.

Please see how to select a CMVP validated product for more information on selecting the right validated product for your architecture.

For purchasers

Prior to using any product that implements cryptography, the Cyber Centre recommends that organizations obtain a copy of the vendor's FIPS 140-2 or FIPS 140-3 validation certificate or certificate number for the product and validate these certificates against the CMVP's validation list. The standard provides four increasing, qualitative levels of security: Levels 1 through 4. These levels cover the wide range of potential applications and environments where you may use cryptography. The security requirements cover 11 areas related to the secure design and implementation of a cryptographic module. The Cyber Centre advises that the overall rating of a cryptographic module is not necessarily the most important rating.

Vendors often include a variety of terms for conformance claims in marketing material, which can be confusing. For example, here is the Cyber Centre's opinion regarding the acceptability of the following claims of conformance to FIPS 140:

  • The module has been designed for compliance to FIPS 140. No
  • The module has been pre-validated and is on the CMVP pre-validation list. No
  • The module will be submitted for testing. No
  • The module has been independently reviewed and tested to comply with FIPS 140 No
  • The module meets all the requirements of FIPS 140. No
  • The module implements FIPS Approved algorithms; including having algorithm certificates. No
  • The module follows the guidelines detailed in FIPS 140. No
  • The module has been validated and has received Certificate #9999. Yes

Please see how to select a CMVP validated product for more information on selecting the right validated product for your architecture.

For laboratories

Organizations interested in becoming a testing laboratory for the CMVP should visit the NVLAP web site.

It contains the following information:

  1. applying for laboratory accreditation
  2. applicable fees
  3. National Voluntary Laboratory Accreditation Program (NVLAP) Handbooks
  4. associated laboratory bulletins

Learn more about the CMVP

Interested in learning more about the CMVP? Please visit the main Cryptographic Module Validation Program (CMVP) website hosted by NIST.

Would you like to learn more from the Cyber Centre about the CMVP? Please contact us.

Date modified: