NVLAP Lab Bulletin LB-162-2025

Department of Commerce
National Institute of Standards and Technology
National Voluntary Laboratory Accreditation Program

Issue date:     December 16, 2025
Number:         LB-162-2025
LAP:                  Cryptographic and Security Testing
Subject:          Clarification for definition of first-party laboratory for CST testing

Background
NIST Handbook 150-17, NVLAP Cryptographic and Security Testing (CST), Section 4.1.2 states the following:

…A first-party CST laboratory may be part of the same company that produced the IUT/SUT but must be organizationally independent.

Annex G, Section G.1 references first-party testing laboratories for Cryptographic Algorithm Validation Program (CAVP) testing.

Purpose
The purpose of this bulletin is to clarify the definition of a first-party CST laboratory.

Notice
NVLAP and the CAVP consider a first-party laboratory to be part of the same company, which produces the IUT/SUT, or part of the legal entity which is controlled by the same company as the laboratory.   Control exists through the: direct or indirect ownership of more than 50 % of the nominal value of the issued equity share capital or of more than 50 % of the shares entitling the holders to vote for the election of directors or persons performing similar functions, or direct or indirect right by any other means to elect or appoint directors, or persons performing similar functions, who have a majority vote. The first-party laboratory must be organizationally independent of the company to ensure their impartiality.

Implementation of Changes
This change is effective upon publication of this bulletin.

Please retain this NVLAP lab bulletin with your copy of NIST Handbook 150-22:2022 for future reference.

Questions regarding the changes to the NVLAP CST LAP requirements should be directed to Janneth Marcelo, janneth.marcelo [at] nist.gov (janneth[dot]marcelo[at]nist[dot]gov).