Labgram #091/Valgram #111 - CAVP and CMVP Claims
CCTLs and Validators,
Reminder that in accordance with Policy #5, at a minimum, CAVP certificates are required for all cryptography for which NIST has an approved security function. CMVP is preferred, but not mandatory at this time. NIAP is closely examining all final packages to ensure there are no misinterpretations pertaining to CAVP and CMVP claims.
CAVP certificates result from validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components.
CMVP certificates result from validation testing of cryptographic modules in accordance with FIPS 140-2.
A product or implementation does not meet the FIPS 140-2 applicability requirements by simply implementing an Approved security function and acquiring validations for each of the implemented algorithms.
In addition, in accordance with Policy #1 the information included in STs, AARs, PCL Entries, VRs, or any public evaluation documentation must be verified during the evaluation and cannot express opinions or subjective claims. Please ensure all public facing documentation is accurate and clear with regard to CAVP and CMVP claims when submitting check out packages. If a product does not have a CMVP certificate, there should be no claims such as "FIPS 140-2 validated" or "validated cryptographic module."
If you have any questions or concerns, please contact us at 410-854-4458 or by email firstname.lastname@example.org.