This project is currently in the build phase. We have selected the technology collaborators who have signed a Cooperative Research and Development Agreement (CRADA) with NIST.
Automation of the NIST Cryptographic Module Validation Program
NIST established the Cryptographic Module Validation Program (CMVP) to ensure that hardware and software cryptographic implementations met standard security requirements. Since its start, the number and complexity of modules to be validated has increased steadily and now outstrips available human resources for product vendors, labs, and validators. This limits product options for many organizations required to use validated cryptography, especially federal agencies. NIST has started a broad effort to modernize and automate its cryptographic validation programs.
Demonstrating the value and practicality of automation to improve the efficiency and timeliness of CMVP operation and processes
This project will demonstrate how automation can improve the efficiency and timeliness of CMVP operations and processes. Many elements in the current validation processes are manual in nature, and the period required for third-party testing and government validation of cryptographic modules is often incompatible with industry requirements.
This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP. These automated tools will employ a vendor/manufacturer testing concept that permits organizations to perform the testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols.
This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP.
View the CMVP Virtual Workshop
In October 2020, NIST hosted a virtual workshop to discuss the challenges and proposed approaches associated with automating the CMVP with members of industry and government experts.
Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capability from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a CRADA to collaborate with NIST in a consortium to build this example solution.
Join the Community of Interest
A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI.