Cryptographic and Security Testing LAP

The Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP), initially named Cryptographic Module Testing (CMT), was established by NVLAP to accredit laboratories that perform cryptographic modules validation conformance testing under the Cryptographic Module Validation Program (CMVP). In response to other mandates and requests, additional testing has been added to the program to include algorithm testing for the Cryptographic Algorithm Validation Program (CAVP), testing to improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems for the NIST Personal Identification Verification Program (NPIVP), test methods for the GSA FIPS 201 Evaluation Program which build upon NPIVP test methods as the GSA Precursor (GSAP), testing to validate the implementation of the Security Content Automation Protocol (SCAP) standards within security software modules, and conformance testing to methods supportive of the Department of Homeland Security's Identity and Privilege Credential Management; e.g, Transportation Worker Identification Credential (TWIC).

Proficiency Testing Requirements

Laboratories applying for accreditation to 17CM are required have a minimum of two CVP-certified testers on staff and successfully test CMVP’s initial proficiency artifact before an initial assessment is scheduled. A lab shall have a minimum of two CVP-certified testers on staff throughout the accreditation. 

Also, laboratories accredited to 17CM are required to submit a minimum of two (2) test reports annually (every 12 calendar months) to the validation authority. Laboratory results are then subject to the CMVP’s Extended Cost Recovery (ECR) point program. CMVP uses the ECR review program to assign points for issues identified by the CMVP during the review of results for each testing activity. The laboratory is to maintain a point total of less than 12 ECR points on an ongoing two-year period of accreditation. Test report submissions are used by the validation authorities as a measure of the validity of a laboratory’s results.

Laboratories applying for accreditation to 17ACVT shall demonstrate, as a means of technical proficiency, the ability to operate and maintain a test environment that successfully interacts with the NIST ACVTS server(s).

Requirements Documents

• NIST Handbook 150:2020, update 1, NVLAP Procedures and General Requirements
• NIST Handbook 150-17:2022, NVLAP Cryptographic and Security Testing 
• Lab Bulletin LB-153-2024r1: Change to the minimum number of vendor product test report submissions as a measure of the laboratory’s ongoing proficiency
• Lab Bulletin LB-149-2023: Change in application of the requirement in NIST Handbook 150-17:2022 Annex B.3.5.2
• Lab Bulletin LB-147-2022: Release of NIST Handbook 150-17, 2022 Edition
• Lab Bulletin LB-116-2020: Update to NVLAP accreditation documents for laboratories accredited to ISO/IEC 17025:2017 under the ILAC MRA

References and Information

• Cryptographic Module Validation Program
• Cryptographic Algorithm Validation Program
• PIV - Personal Identity Verification Program
• SCAP - Security Content Automation Protocol