Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NIST Cryptographic Module Validation Program (CMVP) is essential for organizations required to use validated cryptography – ensuring that hardware and software cryptographic implementations meet standard security requirements. The NCCoE has published the draft NIST SP 1800-40B, Automation of the NIST Cryptographic Module Validation Program to demonstrate how structured test evidence, standardized submission protocols, and modernized computing infrastructure can streamline the submission and review process.
This publication is open for public comment through June 1, 2026.
Background
NIST established the CMVP to ensure that hardware and software cryptographic implementations conform to specified security requirements. Since CMVP was established, the volume, complexity, and speed-to-market of cryptographic modules seeking validation have steadily increased. The rapid pace of innovation is exceeding the capacity of vendors, labs, and validation authorities to keep up with testing and validation.
The NCCoE, in collaboration with the CMVP, is demonstrating the value of automation to improve the efficiency and timeliness of CMVP operations and processes. This publication provides details on the modernization effort, including automation of the testing and validation process, demonstration of protocols to accept and process module validation submissions, and an overview of the infrastructure changes to shift from an on-premises architecture to a cloud-native platform. This publication is intended to help testing labs, technology producers, and validation authorities streamline the validation process while maintaining and improving assurance levels.
Comment Now!
We encourage you to download the publication and submit your feedback by June 1, 2026. While no further publication updates are planned, the team invites users to provide feedback on the areas where clarification might be beneficial.
If you have any questions, you can reach out to the team at applied-crypto-testing [at] nist.gov (applied-crypto-testing[at]nist[dot]gov).