CMVP Security Policy Requirements: NIST SP 800-140B Rev. 1 (Second Public Draft)

 The second public draft of NIST Special Publication (SP)
800-140Br1 (Revision 1),
CMVP Security
Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and
ISO/IEC 19790 Annex B
, is now available for public

The initial public draft introduced four significant changes to
NIST SP 800-140B:

  1. Defines a more detailed
    structure and organization for the Security Policy
  2. Captures Security Policy
    requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Builds the Security Policy
    document as a combination of the subsection information
  4. Generates the approved
    algorithm table based on lab/vendor selections from the algorithm tests

This second draft addresses the comments made on the initial
draft, including concerns with the structure of the Security Policy and the
process for creating it. Appendix B provides details on these changes.

The NIST SP 800-140x series supports Federal Information
Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules,
and its associated validation testing program, the Cryptographic Module
Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790
Annexes and ISO/IEC 24759 as permitted by the validation authority.

The public comment period is open through December 5, 2022. See
the publication
for instructions on submitting comments.