FIPS 140–2 How Cryptographic Module is Validated and Tested (Chapter 2)

In FIPS 140–2 Introduction (Chapter-1) we presented the FIPS 140–2 as a standard for Cryptographic Module. Any Vendor’s product or software which uses a cryptographic module must comply with FIPS 140–2 in order to sell their product in USA, Canada, and other government organizations. For more information go through the reference[1].
How is the Cryptographic Module (Software and Hardware) validated and tested?
Cryptographic Module is validated and tested with the help of two programs namely: Cryptographic Algorithms Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP). In CAVP, Algorithms in Cryptographic Module are checked (whether the Cryptographic Module is using FIPS approved algorithm or not) whereas CMVP checks the whole Cryptographic Module as per the FIPS 140–2 Derived Test Requirements [2]. The upcoming chapters will describe the CMVP in detail.
Who validates the Cryptographic Module?
National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC) with the help of NVLAP accredited CST laboratories.[2]
What are the benefits of FIPS 140–2 as a Vendor/Device Manufacturer?
Better security and Trust of the users.
Figure.1 shows the general flow of testing and validation of a cryptographic module to the FIPS 140–2 standard [2].

The steps for the cryptographic module validation life cycle include:
Step 1: The vendor submits the cryptographic module for testing to an accredited CST laboratory under a contractual agreement. Cryptographic module validation testing is performed using the Derived Test Requirements (DTR) for FIPS 140–2, Security Requirements for Cryptographic Modules. If the CST laboratory has any questions or requires clarification of any requirement in regards to the particular cryptographic module, the laboratory can submit Requests for Guidance (RFG) to NIST and CSE as described in the Implementation Guidance for FIPS 140–2 and the Cryptographic Module Validation Program G.1.
Step 2: Once all the testing requirements have been completed, a validation submission is prepared.
Step 3: The validation submission is sent to CMVP. Two reviewers are assigned to perform the initial review of the documents. One of the reviewers is identified as the point of contact (POC) for CMVP to interact with the CST laboratory to address comments.
Step 4: The coordination process will continue until all comments and/or questions have been satisfactorily addressed.
Step 5: Once the cryptographic module has been validated, the validation information is posted to the Validated FIPS 140–1 and FIPS 140–2 Cryptographic Module List on the CMVP website [2].
Next chapter will be on CMVP and CAVP :)
References
