Feedback Requested: NIST Cryptographic Module Validation Program White Paper

The NIST National Cybersecurity Center of Excellence (NCCoE) has published the draft NIST Cybersecurity White Paper (CSWP) 37B, Automation of the NIST Cryptographic Module Validation Program (ACMVP). The purpose of this project is to support improvement in the efficiency and timeliness of CMVP operations and processes. The comment period for this publication is now open through October 10, 2025.

The CMVP validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. Current industry cryptographic development and maintenance processes place significant emphasis on time-to-market efficiency. Several elements of the validation process are manual in nature, and the period for third-party testing and government validation of cryptographic modules is often incompatible with industry requirements.

The goal of the ACMVP project is to demonstrate a suite of automated tools that have the potential to make the FIPS 140-3 validation process more efficient and provide higher assurances that test findings reported for modules meet FIPS 140-3 requirements. This publication update covers progress in the project from September 2024 to April 2025, outlining advancement across each of the three workstreams: the Test Evidence (TE) Workstream, the Protocol Workstream, and the Research Infrastructure Workstream.

We want your feedback! We encourage you to review this publication and provide comments by October 10, 2025. Visit the NCCoE project page to download the publication and review comment instructions. If you have any questions, please reach out to the project team at applied-crypto-testing [at] nist.gov (applied-crypto-testing[at]nist[dot]gov).

Comment Now!

View this on the NCCoE website