REMINDER: Comment period closes December 9th for Draft SP 800-140x publications


NIST has released the following Draft NIST Special Publications (the SP 800-140x “subseries”) for public comment. They directly support Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirement for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP).

  • Draft SP 800-140, FIPS 140-3 Derived Test Requirements (DTR)
  • Draft SP 800-140A, CMVP Documentation Requirements
  • Draft SP 800-140B, CMVP Security Policy Requirements
  • Draft SP 800-140C, CMVP Approved Security Functions
  • Draft SP 800-140D, CMVP Approved Sensitive Parameter Generation and Establishment Methods
  • Draft SP 800-140E, CMVP Approved Authentication Mechanisms
  • Draft SP 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics

Public comments are due December 9, 2019. For document files, instructions for submitting comments, and more information about the transition to FIPS 140-3, see the links at the bottom of this message.

Background On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019, and becomes effective September 22, 2019.

The new standard introduces some significant changes in the management of the standard. Rather than encompassing the module requirements directly, FIPS 140-3 references International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E). The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E). While there are few major technical requirement changes, the use of the ISO documents requires several procedural changes in the management and execution of the validation process.

The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-3 and other cryptography-based standards. The CMVP is a joint effort between NIST and the Canadian Centre for Cyber Security. Modules validated as conforming to FIPS 140-3 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. CMVP acts as the validation authority entity for conformance to the ISO/IEC Standard.

FIPS 140-3 identifies NIST special publications that modify requirements of ISO/IEC 19790:2012 and ISO/IEC 24759:2017 as allowed by the validation authority, CMVP. Final publication of these SP 800-140x documents is expected to occur by March 22, 2020.

CSRC Update:

Publication details:

Draft SP 800-140:
Draft SP 800-140A:
Draft SP 800-140B:
Draft SP 800-140C:
Draft SP 800-140D:
Draft SP 800-140E:
Draft SP 800-140F:

Overview of the Transition to FIPS 140-3: