Automation of the NIST Cryptographic Module Validation Program

NIST established the Cryptographic Module Validation Program (CMVP) to ensure that hardware and software cryptographic implementations met standard security requirements. Since its start, the number and complexity of modules to be validated has increased steadily and now outstrips available human resources for product vendors, labs, and validators. This limits product options for many organizations required to use validated cryptography, especially federal agencies. NIST has started a broad effort to modernize and automate its cryptographic validation programs. 

Demonstrating the value and practicality of automation to improve the efficiency and timeliness of CMVP operation and processes

Current industry and government cybersecurity recommendations state that organizations should patch promptly, including application of patches to update cryptographic modules. However, patching can change the environment in which a cryptographic module runs and may also change the module itself, invalidating the previously validated configuration. Federal users and others who depend on validated cryptography face a dilemma when frequent updates and patches are important for staying ahead of the attackers, but the existing CMVP validation process does not permit rapid implementation of these updates while maintaining a validated status. This project will focus on creating first-party and third-party tests and test tools for automation of CMVP, as well as first-party processes and means for communicating the results to NIST in a form that conforms to module validation requirements.
Status: Soliciting Comments

The public comment period has closed for Volume A of Automation of the NIST Cryptographic Module Validation Program. We are currently reviewing the comments received. Thank you to everyone who shared their feedback with us.

NIST is adopting an agile process to publish this content. Each volume is being made available as soon as possible rather than delaying release until all volumes are completed. Work continues on implementing the example solution and developing other parts of the content. As a preliminary draft, we will publish at least one additional draft for public comment before it is finalized.

NIST SP 1800-40A: Executive Summary (Preliminary Draft)Document Version NIST SP 1800-40A: Executive Summary (Preliminary Draft)

The public comment period for this cybersecurity white paper is open until December 2, 2024.

NIST CSWP 37, Automation of the NIST Cryptographic Module Validation Program: September 2024 Status Report (Initial Public Draft)Web Version NIST CSWP 37, Automation of the NIST Cryptographic Module Validation Program: September 2024 Status Report (Initial Public Draft)

Project Abstract

This project will demonstrate how automation can improve the efficiency and timeliness of CMVP operations and processes. Many elements in the current validation processes are manual in nature, and the period required for third-party testing and government validation of cryptographic modules is often incompatible with industry requirements. 

This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP. These automated tools will employ a vendor/manufacturer testing concept that permits organizations to perform the testing of their cryptographic products according to the requirements of  FIPS 140-3, then directly report the results to NIST using appropriate protocols. 

Read the Project Description

This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP.

View the CMVP Virtual Workshop

In October 2020, NIST hosted a virtual workshop to discuss the challenges and proposed approaches associated with automating the CMVP with members of industry and government experts.

View the workshop recording and related resources
Metal arrow pointing upward

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capability from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a CRADA to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name