U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Automation of the NIST Cryptographic Module Validation Program (CMVP)

NIST established the Cryptographic Module Validation Program (CMVP) to ensure that hardware and software cryptographic implementations met standard security requirements. Since its start, the number and complexity of modules to be validated has increased steadily and now exceeds available human resources for product vendors, labs, and validators. This limits product options for many organizations required to use validated cryptography, especially federal agencies. NIST started a broad effort to modernize and automate its cryptographic validation programs. 

Demonstrating the value and practicality of automation to improve the efficiency and timeliness of CMVP operation and processes.

Current industry and government cybersecurity recommendations state that organizations should patch promptly, including application of patches to update cryptographic modules. However, patching can change the environment in which a cryptographic module runs and may also change the module itself, invalidating the previously validated configuration. Federal users and others who depend on validated cryptography face a dilemma when frequent updates and patches are important for staying ahead of the attackers, but the existing CMVP validation process does not permit rapid implementation of these updates while maintaining a validated status. This project will focus on creating methods of automation for the CMVP, as well as means for communicating the results to NIST in a form that enhances the ability of the CMVP to evaluate module validation requirements.
Status: Reviewing Comments

The comment period for the draft NIST Special Publication (SP) 1800-40B, Automation of the NIST Cryptographic Module Validation Program is now closed.

NIST SP 1800-40B: Automation of the NIST Cryptographic Module Validation Program (Initial Public Draft)Document Version NIST SP 1800-40B: Automation of the NIST Cryptographic Module Validation Program (Initial Public Draft)
NIST SP 1800-40B: Automation of the NIST Cryptographic Module Validation Program (Web Version)Web Version NIST SP 1800-40B: Automation of the NIST Cryptographic Module Validation Program (Web Version)
NIST SP 1800-40A: Executive Summary (Preliminary Draft)Document Version NIST SP 1800-40A: Executive Summary (Preliminary Draft)
NIST CSWP 37A, Automation of the NIST Cryptographic Module Validation Program: September 2024 Status Report (Final in PDF format)Web Version NIST CSWP 37A, Automation of the NIST Cryptographic Module Validation Program: September 2024 Status Report (Final in PDF format)
NIST CSWP 37B, Automation of the NIST Cryptographic Module Validation Program: April 2025 Status Report (Initial Public Draft in PDF format)Web Version NIST CSWP 37B, Automation of the NIST Cryptographic Module Validation Program: April 2025 Status Report (Initial Public Draft in PDF format)
Submit Comments

Project Abstract

This project will demonstrate automation that will improve the efficiency and timeliness of CMVP operations and processes. Many elements in the current validation processes are manual in nature, and the period required for third-party testing and government validation of cryptographic modules is often incompatible with industry requirements. This project will demonstrate a suite of tools to modernize and automate manual review processes to improve the assurances and efficiency of the CMVP. 

Read the Project Description

This project will demonstrate a suite of tools to modernize and automate manual review processes in support of existing policy and efforts to include technical testing of the CMVP.

View the CMVP Virtual Workshop

In October 2020, NIST hosted a virtual workshop to discuss the challenges and proposed approaches associated with automating the CMVP with members of industry and government experts.

View the workshop recording and related resources
Metal arrow pointing upward

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capability from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a CRADA to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself