The Cryptographic Module Validation Program (CMVP) was established by NIST and the Communications Security Establishment (CSE) of the Government of Canada in July 1995 to oversee testing results of Cryptographic Modules by accredited third party laboratories. The National Institute of Standards and Technology (NIST) published the first Cryptographic standard called FIPS 140-1 in 1994. The current version of the FIPS 140 standard is FIPS 140-2 and was issued in 2001. In March 2019, FIPS 140-3 was announced and will be available for testing in September of 2020. FIPS 140-3 maps to the international standard ISO/IEC 19790:2012.
As a pre-requisite to performing CMVP validations, Cryptographic Algorithm Validation Program (CAVP) conformance testing is done to validate FIPS-approved and NIST-recommended cryptographic algorithms.
FIPS 140 specifies security requirements for Cryptographic Modules that encrypt and decrypt data, securely generate cryptographic keys, perform hashing, execute key agreement using industry standard protocols, and generate or verify digital signatures. FIPS 140 validation is mandatory for vendors selling cryptography into the US and Canadian governments. US government agencies consider cryptography that is not FIPS-validated as clear text. FedRAMP-authorized cloud solutions require that any cryptographic mechanisms deployed in these solutions be FIPS 140 certified.
Since 1999, Oracle has been increasing the number of validations performed against the FIPS 140 standard. Oracle’s validation approach includes a combination of FIPS 140-2 validated open source cryptographic libraries and proprietary 3rd party cryptographic modules.
Within the Cryptographic Module Validation Program (CMVP) there are three main phases which are represented by lists on the CMVP website: Implementation Under Test (IUT), Modules in Process (MIP) and Validated Modules.
The IUT list includes modules where the vendor is under contract with an accredited laboratory to perform the validation testing, but nothing has been submitted to the CMVP. Vendors have 18 months to complete testing or be removed from the IUT list.
The Modules in Process List includes modules where laboratories submitted testing results to the CMVP, and the validation process is in one of these phases:
The Validated Modules list includes modules which completed certification against the FIPS 140 standard. Modules are considered active for five years from their validated date. After five years, they will automatically be marked as historical, however if the module continues to meet the FIPS 140 standard requirements, they can apply to be re-instated.
For Oracle specific CMVP module listings please see here.
For additional information on Oracle’s FIPS 140 status and participation, please email firstname.lastname@example.org.