What is the CMVP?
The Cryptographic Module Validation Program (CMVP) is a joint effort between the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE). The primary goal of the CMVP is to validate cryptographic modules against established security standards. Cryptographic modules include hardware, software, and firmware components that implement cryptographic functions like encryption, digital signatures, and hashing.
What are FIPS Standards (FIPS 140-2 and FIPS 140-3)?
Federal Information Processing Standards (FIPS) are standards developed by the U.S. federal government for computer systems. FIPS 140 is a series of standards specifically focused on the security requirements for cryptographic modules.
FIPS 140-2: Issued in 2001, this standard covers areas like cryptographic algorithm implementation, physical security, key management, and self-tests. For many years, it was the benchmark for cryptographic module security for U.S. federal agencies and regulated industries.
FIPS 140-3: This is the latest version, approved in 2019, which supersedes FIPS 140-2. FIPS 140-3 aligns more closely with international standards (ISO/IEC 19790) and introduces updates to security requirements.
WinMagic:
Our products has been FIPS 140-2 compliant for a long time, and are now on the “Modules In Process List” list awaiting full approval for FIPS 140-3. The MIP list contains cryptographic modules on which the CMVP is actively working. NIST will assign resources to review the reports when they have the bandwidth. Due to several factors including retirements, hiring freezes and process changes to make things more efficient it is hard to predict when NIST when complete their review, but it could be a year +-. In the meantime, our products continue to use our FIPS 140-2 modules which are completely fine and still valid.
The full MIP list can be viewed here:
Last Updated: 4/30/2025