FIPS 140-2 vALIDATION AND Re-Validation

The EWA-Canada IT Security Evaluation & Test Facility performs Federal Information Processing Standard (FIPS) PUB 140-2 testing for initial validations of previously un-validated products/cryptographic modules and revalidations of validated products/cryptographic modules as part of the Cryptographic Module Validation Program (CMVP).

Pre-Validation Planning

Prior to beginning a validation, vendors should have an understanding of the FIPS 140-2 requirements and the validation process itself. If you are new to, or unfamiliar with, the FIPS 140-2 validation process, you may wish to consider FIPS 140-2 Pre-Validation Consulting.

FIPS 140-2 Validation Testing Process

  • The vendor provides the required documentation (which includes a non-proprietary Security Policy, Finite State Model, user and crypto-officer guidance documentation, key management and self-test documentation, and a response to all Vendor Evidence (VEs) in the Derived Test Requirements) and the cryptographic module (actually, as many instances as needed for testing) to the EWA-Canada IT Security Evaluation & Test Facility.  The cryptographic module can be listed as an Implementation Under Test (IUT) in the "Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List" when the laboratory has received the Security Policy, Finite State Model, and basic design documentation.    
  • Cryptographic Algorithm Validation of the FIPS-approved or NIST-recommended cryptographic algorithms is then performed.    
  • The EWA-Canada IT Security Evaluation & Test Facility performs the necessary documentation review, physical security testing, and FIPS 140-2 functional and attack testing. Usually at least a few documentation changes, especially in the Security Policy, are required. If the EWA-Canada IT Security Evaluation & Test Facility discovers any FIPS 140-2 functional non-conformance during its testing, the laboratory gives the vendor time to fix the non-conformance and resubmit the modified cryptographic module to complete the validation testing.    
  • When the EWA-Canada IT Security Evaluation & Test Facility has completed all the required cryptographic module testing, the laboratory submits the test report, along with the non-proprietary Security Policy, to the validation authorities NIST and CSEC.    
  •  At least one reviewer from NIST and one reviewer from CSEC examine the FIPS 140-2 validation submission and provide comments. The EWA-Canada IT Security Evaluation & Test Facility responds to the comments and requests for additional information. The comments may include requiring modifications to the non-proprietary Security Policy.    
  • If NIST and CSEC are confident in the conformance of the cryptographic module to FIPS 140-2, they will list the cryptographic module in the "FIPS 140-1 and FIPS 140-2 Cryptographic Module Validation List" and will issue a FIPS validation certificate for the cryptographic module.    

The timeframe for the validation depends upon several factors including the targeted Security Level, complexity of the cryptographic module to be validated, extent of cryptographic functionality provided, number of operating systems or models to be validated, whether or not the cryptographic module is conformant to the FIPS 140-2 standard when provided for testing, and the length of the validation queue.

FIPS 140-2 Revalidation Testing

A new version of a previously-validated cryptographic module can be done through a revalidation rather than a full validation depending on the extent of the modifications made from the previously-validated version of the cryptographic module. Please contact us to discuss the extent of documentation and testing that will be required.  The EWA-Canada IT Security & Evaluation can also provide more information on cost and duration at that time.Estimates for the cost of testing can be provided upon request. 

Please Contact Us for further information.