Automation of the NIST Cryptographic Module Validation Program

NIST established the Cryptographic Module Validation Program (CMVP) to ensure that hardware and software cryptographic implementations met standard security requirements. Since its start, the number and complexity of modules to be validated has increased steadily and now outstrips available human resources for product vendors, labs, and validators. This limits product options for many organizations required to use validated cryptography, especially federal agencies. NIST has started a broad effort to modernize and automate its cryptographic validation programs. 

Demonstrating the value and practicality of automation to improve the efficiency and timeliness of CMVP operation and processes

Current industry and government cybersecurity recommendations state that organizations should patch promptly, including application of patches to update cryptographic modules. However, patching can change the environment in which a cryptographic module runs and may also change the module itself, invalidating the previously validated configuration. Federal users and others who depend on validated cryptography face a dilemma when frequent updates and patches are important for staying ahead of the attackers, but the existing CMVP validation process does not permit rapid implementation of these updates while maintaining a validated status. This project will focus on creating first-party and third-party tests and test tools for automation of CMVP, as well as first-party processes and means for communicating the results to NIST in a form that conforms to module validation requirements.
Status: Seeking Collaborators

Industry participants and other interested parties are invited to participate in the Automation of the NIST Cryptographic Module Validation Program project. Please review the requirements identified in the Federal Register Notice. Anyone interested in becoming a collaborator should request and complete a Letter of Interest. The NCCoE considers participants who have submitted a completed Letter of Interest on a first-come, first-served basis.

Project Abstract

The purpose of the project is to demonstrate the value and practicality of automation to improve the efficiency and timeliness of Cryptographic Module Validation Program (CMVP) operation and processes. A number of elements of the current validation processes are manual in nature, and the period required for third-party testing and government validation of cryptographic modules is often incompatible with industry requirements. 

This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP. These automated tools will employ a vendor/manufacturer testing concept that permits organizations to perform the testing of their cryptographic products according to the requirements of  FIPS 140-3, then directly report the results to NIST using appropriate protocols. 

This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP.

Supplemental Resources

NIST hosted a virtual workshop on the topic of automation of the CMVP in October 2020. The purpose of this workshop was to discuss the challenges and proposed approaches associated with automating the CMVP.  

View the workshop recording and related resources
Metal arrow pointing upward

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home