diff --git a/crypto/Makefile b/crypto/Makefile
index aff52de1f84b..8c022d7f0938 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -206,7 +206,7 @@ FIPS140_CFLAGS := -D__DISABLE_EXPORTS -DBUILD_FIPS140_KO
 # Create a separate FIPS archive containing a duplicate of each builtin generic
 # module that is in scope for FIPS 140-2 certification
 #
-crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o gcm.o xts.o hmac.o memneq.o \
+crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o cts.o gcm.o xts.o hmac.o memneq.o \
 		    gf128mul.o aes_generic.o lib-crypto-aes.o \
 		    sha1_generic.o sha256_generic.o sha512_generic.o \
 		    lib-sha1.o lib-crypto-sha256.o
diff --git a/crypto/fips140-module.c b/crypto/fips140-module.c
index a91735c37c67..67092d857b60 100644
--- a/crypto/fips140-module.c
+++ b/crypto/fips140-module.c
@@ -76,6 +76,7 @@ static const char * const fips140_algorithms[] __initconst = {
 
 	"ecb(aes)",
 	"cbc(aes)",
+	"cts(cbc(aes))",
 	"ctr(aes)",
 	"xts(aes)",
 
diff --git a/crypto/fips140-selftests.c b/crypto/fips140-selftests.c
index df1ac71c67ce..437520dacd69 100644
--- a/crypto/fips140-selftests.c
+++ b/crypto/fips140-selftests.c
@@ -30,9 +30,10 @@
  * be excluded by one of the rules above.
  *
  * See fips140_selftests[] for the list of tests we've selected.  Currently, all
- * our test vectors except the DRBG ones were generated by the script
- * tools/crypto/gen_fips140_testvecs.py, using the known-good implementations in
- * the Python packages hashlib, pycryptodome, and cryptography.
+ * our test vectors except the AES-CBC-CTS and DRBG ones were generated by the
+ * script tools/crypto/gen_fips140_testvecs.py, using the known-good
+ * implementations in the Python packages hashlib, pycryptodome, and
+ * cryptography.
  *
  * Note that we don't reuse the upstream crypto API's self-tests
  * (crypto/testmgr.{c,h}), for several reasons:
@@ -671,7 +672,7 @@ static const struct fips_test fips140_selftests[] __initconst = {
 		}
 	},
 	/*
-	 * Tests for AES-CBC, AES-CTR, and AES-XTS.
+	 * Tests for AES-CBC, AES-CBC-CTS, AES-CTR, and AES-XTS.
 	 *
 	 * According to the IG, unauthenticated AES modes don't need to have
 	 * their own test as long as both directions of the underlying AES
@@ -699,6 +700,32 @@ static const struct fips_test fips140_selftests[] __initconst = {
 			.ciphertext	= fips_aes_cbc_ciphertext,
 			.message_size	= sizeof(fips_message),
 		}
+	}, {
+		.alg		= "cts(cbc(aes))",
+		.impls		= {
+			/* All standalone implementations of "cts(cbc(aes))" */
+			"cts-cbc-aes-neon",
+			"cts-cbc-aes-ce",
+		},
+		.func		= fips_test_skcipher,
+		/* Test vector taken from RFC 3962 */
+		.skcipher	= {
+			.key    = "\x63\x68\x69\x63\x6b\x65\x6e\x20"
+				  "\x74\x65\x72\x69\x79\x61\x6b\x69",
+			.key_size = 16,
+			.iv	= "\x00\x00\x00\x00\x00\x00\x00\x00"
+				  "\x00\x00\x00\x00\x00\x00\x00\x00",
+			.iv_size = 16,
+			.plaintext = "\x49\x20\x77\x6f\x75\x6c\x64\x20"
+				     "\x6c\x69\x6b\x65\x20\x74\x68\x65"
+				     "\x20\x47\x65\x6e\x65\x72\x61\x6c"
+				     "\x20\x47\x61\x75\x27\x73\x20",
+			.ciphertext = "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1"
+				      "\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
+				      "\x97\x68\x72\x68\xd6\xec\xcc\xc0"
+				      "\xc0\x7b\x25\xe2\x5e\xcf\xe5",
+			.message_size = 31,
+		}
 	}, {
 		.alg		= "ctr(aes)",
 		.impls		= {