Relation between FIPS, CC, CMVP, CAVP and CAVS   

When Defence and Government agencies like healthcare, finance, social security (who have confidential but unclassified information about users) needs to choose devices for their official usage, they need to choose one or the other approved standards/criteria on which they can rely on for keeping the user’s data secured. FIPS and CC are two of those standards which are followed by these agencies in current time.

Whereas FIPS (Federal Information Processing Standard) and CC (Common Criteria) are two security product certification programs run by government(s), CMVP(Cryptography Module Validation Program), CAVP(Cryptography Algorithms Validation Program) and CAVS (Cryptography Algorithm Validation Scheme) are the programs which are there to help meeting some of the prerequisites for acquiring the FIPS and CC certifications . Both FIPS and CC standards seems to have a set of cryptographic requirements listed down in form of standards, and the products which seek to acquire these certificates must fulfil these requirements to claim the certifications. Once the product is awarded these certificates, it can become eligible to be bought by different government agencies for their official usage.

A product can be certified for either CC or FIPS or both. Both FIPS and CC offer different level of certifications based on the requirement met by the product. While FIPS offers Level 1 to Level 4 certificates based on the level of security met by the product (security increases with level in the ascending order – level 1 being least secure and level 4 being highest security), CC offers levels from EAL 1 to EAL 7 (EAL 1 is the least verified and EAL 7 is the most verified level) **.

United States and Canada tops the list in terms of FIPS usage right now. FIPS defines the requirements and standards for the cryptography modules that include both hardware and software components. As part of the software standard FIPS defines various parameters like the way algorithm need to be designed, the complexities which need to be taken care by those algorithms, and number of different algorithms which should be supported by the security modules. Hardware requirements and standard may include feature like temper resistance, temper resistance coating, and operating conditions etc.

CC on the other hand is an international standard which is covered by almost 19-20 countries right now. CC is a framework in which users can specify their security functional and assurance requirements through the use of Protection Profiles (various protection profiles can exists like MDFPP – mobile device fundamental protection profile, Firewall PP, Smartcard PP etc.), and private vendors/OEMs can then implement and/or make claims about the security attributes of their products, and authorized testing laboratories can evaluate the products to determine if they actually meet the claims. Unlike FIPS (140 -2), CC primarily focuses on software security requirements (not hardware). Also, Details of cryptographic implementation (algorithms) within the device are outside the scope of CC; instead, it uses the specification given by standards like FIPS - 140 to specify the cryptographic modules requirements and algorithms.  Below is the snippet from MDFPP 2.0 which shows the MDFPP requirement specified in terms of FIPS PUB 197 specification:  

FCS_COP.1(1) Cryptographic operation

FCS_COP.1.1(1) The TSF shall perform [encryption/decryption] in accordance with a specified cryptographic algorithm Protection Profile for Mobile Device Fundamentals

AES-CBC (as defined in FIPS PUB 197, and NIST SP 800-38A) mode.

While FIPS and CC defines the standards and requirements for the certification, CMVP Program is run by United State and Canadian government to define the tests, test methodologies, and test structures which need to be followed by any vendor who wants their devices (modules) to be certified for FIPS or CC. As per setup all the tests under CMVP are run by third party CMVP authorized laboratories only.

Additionally, CAVP is a program which provides guidance for the testing and validation for the FIPS approved software algorithms. The CAVP provides assurance that cryptographic algorithm implementations adhere to the detailed algorithm specifications. A suite of validation tests – a test tool - is designed for each cryptographic algorithm (called CAVS) to test the algorithm specifications, and functionality of that algorithm. The validation of cryptographic algorithm implementations in the cryptographic module are a prerequisite to the validation of that cryptographic module itself, so in easy and simple words:  CAVP is a prerequisite for CMVP and CMVP is a prerequisite for FIPS and CC certification.

Okay now, once the CAVP and CMVP certificate numbers (e.g. Cert # 470) are available to vendors, they can mention those in their supporting document and apply to get the FIPS and CC certificates from government (NIST). And once the product/module is awarded a FIPS or CC certifications, it will be listed on the NIST website which can be referred by different agencies to choose a product for their official usage.

** While FIPS ensures increasing levels with security, CC levels just specify the regress level of verification done by the CC testing laboratories.