http://debianws.lexgopc.com/wiki143/index.php?action=history&feed=atom&title=Cryptographic_Module_Testing_LaboratoryCryptographic Module Testing Laboratory - Revision history2026-04-30T15:57:48ZRevision history for this page on the wikiMediaWiki 1.43.1http://debianws.lexgopc.com/wiki143/index.php?title=Cryptographic_Module_Testing_Laboratory&diff=3594561&oldid=previmported>Another day in the trench at 08:21, 1 March 20242024-03-01T08:21:37Z<p></p>
<p><b>New page</b></p><div>{{Short description|Computer security testing laboratory}}<br />
'''Cryptographic Module Testing Laboratory''' ('''CMTL''') is an [[information technology]] (IT) [[computer security]] testing laboratory that is accredited to conduct cryptographic module evaluations for conformance to the [[FIPS 140-2]] [[United States|U.S.]] [[United States Government|Government]] standard.<br />
<br />
The [[NIST|National Institute of Standards and Technology]] (NIST) [[NVLAP|National Voluntary Laboratory Accreditation Program]] (NVLAP) accredits CMTLs to meet [[CMVP|Cryptographic Module Validation Program]] (CMVP) standards and procedures.<br />
<br />
This has been replaced by [https://csrc.nist.gov/Presentations/2002/FIPS-140-2-and-the-Cryptographic-Module-Validation FIPS 140-2 and the Cryptographic Module Validation Program (CMVP)].<br />
<br />
==CMTL requirements==<br />
These laboratories must meet the following requirements:<br />
<br />
* NIST Handbook 150, NVLAP Procedures and General Requirements<br />
* NIST Handbook 150-17 Information Technology Security Testing - Cryptographic Module Testing<br />
**NVLAP Specific Operations Checklist for Cryptographic Module Testing<br />
<br />
==FIPS 140-2 in relation to the Common Criteria==<br />
<br />
A CMTL can also be a [[Common Criteria]] (CC) Testing Laboratory ([[Common Criteria Testing Laboratory|CCTL]]). <br />
The CC and FIPS 140-2 are different in the abstractness and focus of evaluation. FIPS 140-2 testing is against a defined cryptographic module and provides a suite of conformance tests to four [[FIPS 140-2#Security Levels|FIPS 140 security levels]]. FIPS 140-2 describes the requirements for cryptographic modules and includes such areas as [[physical security]], [[key management]], self tests, [[RBAC|roles]] and services, etc. The standard was initially developed in 1994 - prior to the development of the CC. The CC is an evaluation against a [[Protection Profile]] (PP), or security target (ST). Typically, a PP covers a broad range of products.<br />
<br />
* A CC evaluation does not supersede or replace a validation to either [[FIPS 140-1]], [[FIPS140-2]] or [[FIPS 140-3]]. The four security levels in FIPS 140-1 and FIPS 140-2 do not map directly to specific CC [[Evaluation Assurance Level|EAL]]s or to CC functional requirements. A CC certificate cannot be a substitute for a FIPS 140-1 or FIPS 140-2 certificate.<br />
<br />
If the operational environment is a modifiable operational environment, the operating system requirements of the [[Common Criteria]] are applicable at FIPS Security Levels 2 and above.<br />
<br />
* FIPS 140-1 required evaluated operating systems that referenced the [[Trusted Computer System Evaluation Criteria]] (TCSEC) classes C2, B1 and B2. However, TCSEC is no longer in use and has been replaced by the Common Criteria. Consequently, FIPS 140-2 now references the Common Criteria.<br />
<br />
[[FIPS 140-2]] or [[FIPS 140-3]] validation efforts can be in some parts reused in Common Criteria evaluations, specifically in areas related to [[entropy source]] and cryptographic algorithms.<br />
<br />
== References ==<br />
<references /><br />
<br />
==External links==<br />
* [https://web.archive.org/web/20060811213603/http://csrc.nist.gov/cryptval/ List of CMTLs] from [[NIST]]<br />
<br />
[[Category:Computer security procedures]]<br />
[[Category:Tests]]<br />
[[Category:Cryptography]]</div>imported>Another day in the trench