Virtual Workshop on the Automation of the NIST Cryptographic Module Validation Program (CMVP)


The NCCoE is developing a NIST CMVP automation project that includes practice descriptions in the form of white papers, playbook generation, and implementation demonstrations. The project aims to improve the ability and efficiency of organizations. The project will examine automated testing within the scope of NIST Handbook 150-17, NVLAP Cryptographic and Security Testing as an alternative to the existing CMVP program. (NVLAP stands for National Voluntary Laboratory Accreditation Program.) The approach is similar to that of the successful development and rollout of the Automated Cryptographic Algorithm Validation scope in Annex G of NIST Handbook 150-17, and the establishment of an alternative active scope of validation testing under the NIST Cryptographic Algorithm Validation Program (CAVP).

This proposed project generally requires:

  • developing data schema that would enable the generation and validation of standardized evidence produced by the operational testing of an Implementation Under Test (IUT) executing on a Device Under Test (DUT)
  • developing protocols for submitting evidence and receiving comments and results based on that evidence
  • developing capabilities that associate the Automated Cryptographic Module Validation Protocol (AMVP) evidence with other evidence, such as the cryptographic algorithm validation data produced using the Automated Cryptography Validation Protocol (ACVP), that would enable the complete and verifiable representation of an IUT
  • leveraging the ACVP to the greatest extent possible to maintain a consistent system architecture
  • developing implementation validation tools and services to enable an end-to-end validation scope for the CMVP
  • updating the processes and procedures used by developers, implementers, validators, and consumers of validated implementations

The outcome of the project will support the modernization of the CMVP. The resulting program will likely be offered as an alternative to the existing program to be used in parallel for a period of time needed to allow the automated program to mature and become fully viable for all stakeholders.

Once the automated program is established, other approaches to accelerating its adoption across the stakeholder organizations could include:

  • developing a risk-based approach that takes security requirements, business operations, and mission impact into consideration
  • establishing a communication plan to be used within the organization and for external customers and partners
  • identifying a migration timeline and the necessary resources
  • updating or replacing current security standards, procedures, and recommended practice documentation
  • providing installation, configuration, and administration documentation
  • testing and validating the new processes and procedures

Please join the community-of-interest by sending an email to applied-crypto-testing@nist.gov to get the latest updates on the activities related to the Automation of the NIST Cryptographic Module Validation Program (CMVP).


Please send an email to applied-crypto-testing@nist.gov