Virtual Workshop on the Automation of the NIST Cryptographic Module Validation Program (CMVP)

Monday, October 5, 2020

Workshop Overview

The National Institute of Standards and Technology (NIST) hosted a virtual workshop on the Automation of the NIST Cryptographic Module Validation Program (CMVP) on Monday, October 5, 2020. The number of cryptographic module validations has outstripped the available human resources for timely validation processing. This phenomenon is affecting all stakeholders participating in the CMVP (vendors, labs, and validators alike). The purpose of the workshop discussed the challenges and proposed approaches associated with automating the CMVP. The approach to CMVP automation must be based on consistent and reproducible evidence generated and reported by the producers of technologies that implement cryptographic capabilities. The findings from this workshop will inform the development of a potential National Cybersecurity Center of Excellence (NCCoE) demonstration project that supports the Federal Information Processing Standards (FIPS) 140-3 Cryptographic Module Validation Program. The automated program should show a capability to process and deliver results at machine speed.

Workshop Recording

Post-Workshop Materials

Slide presentations are linked to the speaker. 

 Presentation #1

 NIST and NCCoE Overview

 Jeff Greene

 Presentation #2

 Workshop Overview & Background

 Matt Scholl

 Presentation #3

 Status of the Automation of NIST Cryptographic Validation   Programs

 Apostol Vassilev


 Presentation #4

 Presentation #5

 Presentation #6

 Presentation #7

 Challenges Session

  • Integration challenges of the new validation program with the existing automated algorithm validation program 
    • Barry Fussell, Cisco
  • Schema and protocols for evidence submission for module validation
    • Miguel Osorio, Google
  • Requirements for establishing a new automated module validation scope in NIST Handbook 150-17
    • Tim Anderson, Amazon
  • Challenges to your organization
    • Blair Heiserman, NIST





Presentation #8

 Presentation #9

 Presentation #10

 Presentation #11

 Presentation #12

 Presentation #13


 Ten Minute Participant Lightning Talk Session

  • Mike Grimm, Microsoft
  • Mike Dodds, Galois
  • Chris Celi, NIST
  • Gavin O'Brien, NIST
  • Stephan Mueller, ATSEC
  • Ravi Jagannathan, VMWare



 Presentation #14

 Next Steps/Wrap-up (NCCoE)

 Curt Barker



The NCCoE is developing a NIST CMVP automation project that includes practice descriptions in the form of white papers, playbook generation, and implementation demonstrations. The project aims to improve the ability and efficiency of organizations. The project will examine automated testing within the scope of NIST Handbook 150-17, NVLAP Cryptographic and Security Testing as an alternative to the existing CMVP program. (NVLAP stands for National Voluntary Laboratory Accreditation Program.) The approach is similar to that of the successful development and rollout of the Automated Cryptographic Algorithm Validation scope in Annex G of NIST Handbook 150-17, and the establishment of an alternative active scope of validation testing under the NIST Cryptographic Algorithm Validation Program (CAVP).

This proposed project generally requires:

  • developing data schema that would enable the generation and validation of standardized evidence produced by the operational testing of an Implementation Under Test (IUT) executing on a Device Under Test (DUT)
  • developing protocols for submitting evidence and receiving comments and results based on that evidence
  • developing capabilities that associate the Automated Cryptographic Module Validation Protocol (AMVP) evidence with other evidence, such as the cryptographic algorithm validation data produced using the Automated Cryptography Validation Protocol (ACVP), that would enable the complete and verifiable representation of an IUT
  • leveraging the ACVP to the greatest extent possible to maintain a consistent system architecture
  • developing implementation validation tools and services to enable an end-to-end validation scope for the CMVP
  • updating the processes and procedures used by developers, implementers, validators, and consumers of validated implementations

The outcome of the project will support the modernization of the CMVP. The resulting program will likely be offered as an alternative to the existing program to be used in parallel for a period of time needed to allow the automated program to mature and become fully viable for all stakeholders.

Once the automated program is established, other approaches to accelerating its adoption across the stakeholder organizations could include:

  • developing a risk-based approach that takes security requirements, business operations, and mission impact into consideration
  • establishing a communication plan to be used within the organization and for external customers and partners
  • identifying a migration timeline and the necessary resources
  • updating or replacing current security standards, procedures, and recommended practice documentation
  • providing installation, configuration, and administration documentation
  • testing and validating the new processes and procedures

Please join the community-of-interest by sending an email to to get the latest updates on the activities related to the Automation of the NIST Cryptographic Module Validation Program (CMVP).



Please send an email to