Date Published: September 10, 2025
Comments Due:
Email Comments to:
Author(s)
Chris Celi (NIST), Alexander Calis (NIST), Murugiah Souppaya (NIST), William Barker (Strativia), Karen Scarfone (Scarfone Cybersecurity), Shawn Geddis (Katalyst), Raoul Gabiam (MITRE), Stephan Mueller (atsec), Yi Mao (atsec), Barry Fussell (Cisco), Andrew Karcher (Cisco), Douglas Boldt (AWS)
Announcement
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols.
This is a status report of progress made since October 2024 with the ACMVP and the planned next steps for the project.
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The current cryptographic module validation process is heavily manual, out of sync with the speed of technology industry development and deployment. Thus, the NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that have the potential to make the FIPS 140-3 validation process more efficient and provide higher assurances that test findings reported for modules meet FIPS 140-3 requirements.
This report is the second status report for the project, which describes progress made between September 2024 and April 2025 and planned next steps. A prior update of work accomplished can be found in the September 2024 status report. This document outlines progress across each of the three workstreams: the Test Evidence (TE) Workstream, the Protocol Workstream, and the Research Infrastructure Workstream, each a focused effort in its own right. The combined impact of these workstreams intends to result in improvements to the overall automation of the CMVP.
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The current cryptographic…
See full abstract
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The current cryptographic module validation process is heavily manual, out of sync with the speed of technology industry development and deployment. Thus, the NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that have the potential to make the FIPS 140-3 validation process more efficient and provide higher assurances that test findings reported for modules meet FIPS 140-3 requirements.
This report is the second status report for the project, which describes progress made between September 2024 and April 2025 and planned next steps. A prior update of work accomplished can be found in the September 2024 status report. This document outlines progress across each of the three workstreams: the Test Evidence (TE) Workstream, the Protocol Workstream, and the Research Infrastructure Workstream, each a focused effort in its own right. The combined impact of these workstreams intends to result in improvements to the overall automation of the CMVP.
Hide full abstract
Keywords
Automated Cryptographic Module Validation Project (ACMVP); Cryptographic Module Validation Program (CMVP); cryptography; cryptographic module; cryptographic module testing; cryptographic module validation
Control Families
None selected