CMTL
   HOME

TheInfoList



Click Here for Items Related To - CMTL
OR:
CMTL on:   [Wikipedia]   [Google]   [Amazon]

{{Short description, Computer security testing laboratory A Cryptographic Module Testing Laboratory (CMTL) is an
information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...
(IT)
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
testing laboratory that is accredited to conduct cryptographic module evaluations for conformance to the
FIPS 140-2 The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publ ...
U.S. The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...
Government A government is the system or group of people governing an organized community, generally a state. In the case of its broad associative definition, government normally consists of legislature, executive, and judiciary. Government is a ...
standard. The
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
(NIST)
National Voluntary Laboratory Accreditation Program {{unreferenced, date=October 2012 National Voluntary Laboratory Accreditation Program (NVLAP) is a National Institute of Standards and Technology (NIST) program in the USA which provides an unbiased third-party test and evaluation program to accredi ...
(NVLAP) accredits CMTLs to meet Cryptographic Module Validation Program (CMVP) standards and procedures. This has been replaced b
FIPS 140-2 and the Cryptographic Module Validation Program (CMVP)


CMTL requirements

These laboratories must meet the following requirements: * NIST Handbook 150, NVLAP Procedures and General Requirements * NIST Handbook 150-17 Information Technology Security Testing - Cryptographic Module Testing **NVLAP Specific Operations Checklist for Cryptographic Module Testing


FIPS 140-2 in relation to the Common Criteria

A CMTL can also be a
Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. Common Criteria ...
(CC) Testing Laboratory ( CCTL). The CC and FIPS 140-2 are different in the abstractness and focus of tests. FIPS 140-2 testing is against a defined cryptographic module and provides a suite of conformance tests to four FIPS 140 security levels. FIPS 140-2 describes the requirements for cryptographic modules and includes such areas as
physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
,
key management Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, ...
, self tests,
roles A role (also rĂ´le or social role) is a set of connected behaviors, rights, obligations, beliefs, and norms as conceptualized by people in a social situation. It is an expected or free or continuously changing behavior and may have a given indiv ...
and services, etc. The standard was initially developed in 1994 - prior to the development of the CC. The CC is an evaluation against a
Protection Profile A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provid ...
(PP), usually created by the user, or security target (ST). Typically, a PP covers a broad range of products. * A CC evaluation does not supersede or replace a validation to either
FIPS 140-1 The 140 series of Federal Information Processing Standards ( FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. , FIPS 140-2 and FIPS 140-3 are both accepted as current and active. FIPS 140-3 ...
or FIPS 140-2. The four security levels in FIPS 140-1 and FIPS 140-2 do not map directly to specific CC EALs or to CC functional requirements. A CC certificate cannot be a substitute for a FIPS 140-1 or FIPS 140-2 certificate. If the operational environment is a modifiable operational environment, the operating system requirements of the Common Criteria are applicable at FIPS Security Levels 2 and above. * FIPS 140-1 required evaluated operating systems that referenced the
Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCS ...
(TCSEC) classes C2, B1 and B2. However, TCSEC is no longer in use and has been replaced by the Common Criteria. Consequently, FIPS 140-2 now references the Common Criteria.


External links


List of CMTLs
from
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
Computer security procedures Tests Cryptography