Cryptographic Module Validation Program

Abstract: Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and identification and authentication. A documented methodology for conformance testing through a defined set of security requirements in FIPS 140-1 and FIPS 140-2 and other cryptographic standards is specified in the Derived Test Requirements.FIPS 140-1 is one of NIST's most successful standards and forms the very foundation of the Cryptographic Module Validation Program. FIPS 140-2 addresses lessons learned from questions and comments and reflects changes in technology. The standard was strengthened, but not changed in focus or emphasis. Also, the standard was minimally restructured to: standardize the language and terminology to add clarity and consistency; remove redundant and extraneous information to make the standard more concise; and revise or remove vague requirements. Finally, a new section was added detailing new types of attacks on cryptographic modules that currently do not have specific testing available. This differences paper summarizes the changes from FIPS 140-1 to FIPS 140-2 and documents the detailed requirements.

Abstract: Computer security assurance provides a basis for one to have confidence that security measures, both technical and operational, work as intended. Use of products with an appropriate degree of assurance contributes to security and assurance of the system as a whole and thus should be an important factor in IT procurement decisions. Two Government programs are of particular interest -- the National Information Assurance Partnership (NIAP)'s Common Criteria Evaluation and Validation Program and NIST's Cryptographic Module Validation Program (CMVP). The NIAP program focuses on evaluations of products (e.g., a firewall or operating system) against a set of security specifications. The CMVP program focuses on security conformance testing of a cryptographic module against Federal Information Processing Standard 140-1, Security Requirements for Cryptographic Modules and related federal cryptographic algorithm standards.

Abstract: This document describes the principles, processes and procedures that drive cryptographic standards and guidelines development efforts at the National Institute of Standards and Technology (NIST). This document reflects public comments received on two earlier versions, and will serve as the basis to guide NIST’s future cryptographic standards and guidelines development efforts. It will be reviewed and updated every five years, or more frequently if a need arises, to help ensure that NIST fulfills its role and responsibilities for producing robust, effective cryptographic standards and guidelines.

Abstract: “Do accredited environmental laboratories actually perform better?” The Canadian Association for Environmental Analytical Laboratories (CAEAL) attempted to answer this question in a 1997 article entitled “Laboratory Accreditation: Proof of Performance for Environmental Labs” (Canadian Chemical News, September 1997). Since that time we have received numerous requests to repeat the performance comparison. Since we now have data from additional years of proficiency testing (PT) studies, we have repeated the original study. CAEAL is committed to working with the laboratory community and their clients to achieve and demonstrate the value of implementing the highest quality standards in Canadian environmental laboratories. To this end, CAEAL and the Standards Council of Canada (SCC) jointly deliver an accreditation program for environmental laboratories in Canada. The accreditation program is based on ISO/IEC 17025 “General Requirements for the Competence of Testing and Calibration Laboratories”. Laboratory performance for many accredited parameters is evaluated through interlaboratory PT, and laboratory capability is assessed every 2 years by a laboratory site assessment covering the lab’s quality system and its technical capabilities for the specific tests. By mid 2001, more than 120 environmental labs were participating in the joint SCC/CAEAL accreditation program, representing about 38% of all labs accredited by the SCC for all areas of testing. Another 160 to 170 labs are involved in only PT, making a total of 270 to 280 labs in CAEAL’s PT program.