Rescheduled: Virtual Workshop on the Automation of the NIST Cryptographic Module Validation Program (CMVP)

Monday, October 5, 2020

This workshop was rescheduled from September 1. 

Workshop Objectives

The National Institute of Standards and Technology (NIST) will host a virtual workshop on the
Automation of the NIST Cryptographic Module Validation Program (CMVP) on Monday, October 5, 2020. The number of cryptographic module validations has outstripped the available human resources for timely validation processing. This phenomenon is affecting all stakeholders participating in the CMVP (vendors, labs, and validators alike). The purpose of the workshop is to discuss the challenges and proposed approaches associated with automating the CMVP. The approach to CMVP automation must be based on consistent and reproducible evidence generated and reported by the producers of technologies that implement cryptographic capabilities. The findings from this workshop will inform the development of a potential National Cybersecurity Center of Excellence (NCCoE) demonstration project that supports the Federal Information Processing Standards (FIPS) 140-3 Cryptographic Module Validation Program. The automated program should show a capability to process and deliver results at machine speed.

Background

The NCCoE is developing a NIST CMVP automation project that includes practice descriptions in the form of white papers, playbook generation, and implementation demonstrations. The project aims to improve the ability and efficiency of organizations. The project will examine automated testing within the scope of NIST Handbook 150-17, NVLAP Cryptographic and Security Testing as an alternative to the existing CMVP program. (NVLAP stands for National Voluntary Laboratory Accreditation Program.) The approach is similar to that of the successful development and rollout of the Automated Cryptographic Algorithm Validation scope in Annex G of NIST Handbook 150-17, and the establishment of an alternative active scope of validation testing under the NIST Cryptographic Algorithm Validation Program (CAVP).

This proposed project generally requires:

  • developing data schema that would enable the generation and validation of standardized evidence produced by the operational testing of an Implementation Under Test (IUT) executing on a Device Under Test (DUT)
  • developing protocols for submitting evidence and receiving comments and results based on that evidence
  • developing capabilities that associate the Automated Cryptographic Module Validation Protocol (AMVP) evidence with other evidence, such as the cryptographic algorithm validation data produced using the Automated Cryptography Validation Protocol (ACVP), that would enable the complete and verifiable representation of an IUT
  • leveraging the ACVP to the greatest extent possible to maintain a consistent system architecture
  • developing implementation validation tools and services to enable an end-to-end validation scope for the CMVP
  • updating the processes and procedures used by developers, implementers, validators, and consumers of validated implementations

 

The outcome of the project will support the modernization of the CMVP. The resulting program will likely be offered as an alternative to the existing program to be used in parallel for a period of time needed to allow the automated program to mature and become fully viable for all stakeholders.

Once the automated program is established, other approaches to accelerating its adoption across the stakeholder organizations could include:

  • developing a risk-based approach that takes security requirements, business operations, and mission impact into consideration
  • establishing a communication plan to be used within the organization and for external customers and partners
  • identifying a migration timeline and the necessary resources
  • updating or replacing current security standards, procedures, and recommended practice documentation
  • providing installation, configuration, and administration documentation
  • testing and validating the new processes and procedures

Call for Participation 

NIST invites industry subject matter experts and practitioners to present their views related to the challenges associated with the automation of the NIST CMVP and approaches to tackling the problem. The primary focus of the workshop is to support the development of an actionable project plan. The project would start from simple but effective initial steps. Over time, the effort would begin to tackle the more difficult tasks required to achieve full automation as part of a secure software development process. The resulting process would aim to minimize the human resources required for validation. The workshop provides an opportunity for participants to provide feedback regarding all aspects of the planned project, to include the resulting impact on:

  • organization and business practices
  • relevant standards, guidelines, and recommended practices
  • use cases and the technologies to be considered
  • automated test methodologies and integration to existing test harnesses for CAVP
  • sources of the specifications and guidance to be employed

NIST will use the resulting prioritized list of activities to help accelerate the development of an automated program for cryptographic module validation.

Requests to present at this workshop should be submitted to applied-crypto-testing@nist.gov no later than September 18, 2020.

If you are interested in presenting at the workshop, please submit a description of your interest in one or more of the following topics in one page or less to applied-crypto-testing@nist.gov:

  • the data formats and application programming interfaces of the cryptographic modules needed to support the development of the necessary schemas and protocols for evidence submission and validation
  • architecture and development of an infrastructure required to support a new automated validation program
  • positive and negative impacts that the new automation program may have on your organization
  • development of new or updated policies and recommended practices for the automated validation scope in NIST Handbook 150-17
  • development of a roadmap for migrating your organization or your customers from the current human-effort-centric CMVP to the new automated program

 

Submissions should be made by September 18, 2020. NIST may accept late submission based on the merits of the proposal no later than September 21, 2020.

The workshop will be recorded and the content will be made available after the event. Please join the community-of-interest by sending an email to applied-crypto-testing@nist.gov to get the latest updates on the activities related to the Automation of the NIST Cryptographic Module Validation Program (CMVP).


Agenda

 11:00 – 11:10 EDT

 NIST and NCCoE Overview

 11:10 – 11:25 EDT

 Workshop Overview & Background

 11:25 – 11:45 EDT

 Status of the Automation of NIST Cryptographic Validation Programs

 11:45 – 11:55 EDT

 Moderated Q&A

 11:55 – 12:00 EDT

 Break

 12:00 – 13:00 EDT

 Challenges Session

  • Schema and protocols for evidence submission for module validation
  • Requirements for establishing a new automated module validation scope in NIST Handbook 150-17
  • Integration challenges of the new validation program with the existing automated algorithm validation program
  • Challenges to your organization

 13:00 – 13:10 EDT

 Moderated Q & A

 13:10 – 13:15 EDT

 Break

 13:15 – 14:15 EDT

 Ten Minute Participant Lightning Talk Session

 14:15 – 14:30 EDT

 Moderated Q & A

 14:30 – 14:45 EDT

 Next Steps/Wrap-up (NCCoE)

Questions? 

Please send an email to applied-crypto-testing@nist.gov