- CSRC Home
- Projects / Research
- news & events
Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)
The Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) were established on July 17, 1995 by the National Institute of Standards and Technology (NIST) to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1.
The current implementation of the CMVP is shown in Figure 1 below. The CAVP is a prerequisite for CMVP. The CAVP and CMVP leverage NVLAP accredited Cryptographic and Security Testing (CST) laboratories for testing cryptographic algorithms with CAVP and validation testing against the Derived Test Requirements (DTR), Implementation Guidance (IG), and applicable CMVP programmatic guidance. According to existing guidance, the CST laboratories must perform 100% independent testing of the modules submitted by the vendors.
The structure and the rules under which the CAVP and CMVP operate worked well for the level of the technology utilized by the Federal Government at the time when the programs were created more than two decades ago. As technology has advanced however, the algorithm and module testing processes no longer satisfy current day industry and government operational needs. Testing is exceedingly long, well beyond typical product development cycles across a wide range of technologies. The resulting validated modules do not provide useful interfaces for integration into IT systems to enable run-time monitoring of modules for compliance with FISMA.
NIST recognizes the need to improve the efficiency and effectiveness of cryptographic module testing in order to reduce the time and cost required for testing while providing a high level of assurance for Federal government consumers.
The principal goals of this project are to collaborate with commercial or open source producers of cryptographic capabilities and government consumers of FIPS 140 validated modules in order to:
The scope of this project is broken into multiple phases.