In response to questions and requests from some of you, as well as a further review of our internal transition process, NIST CAVP have decided on the following:
- The CAVS retirement date is 30 June 2020. No algorithm validations will be issued for CAVS test results submitted after 11:59 PM Eastern Time on 30 June 2020. See below for additional requirements on using CAVS for validations.
- The Automated Cryptographic Validation Test System (ACVTS), i.e., NIST CAVP algorithm validation testing using the Automated Cryptographic Validation Protocol (ACVP), is operational now and is the recommended path for obtaining algorithm validations. Starting 1 July 2020, ACVTS will be the only means of doing so.
- Upon reviewing the terms of the CRADA, we have determined that it only specifies cost recovery billing for ACVP vector sets, not for CAVS. Therefore, NIST CAVP will not do any cost recovery billing for CAVS for the remainder of its lifetime. In other words, CAVS testing will remain free.
- Be advised that CAVS will not be actively maintained and, as a result, the ACVTS will support testing for Approved (FIPS-approved and NIST recommended) algorithms that CAVS does not. If an implementation has an Approved algorithm the ACVTS Prod server supports (that CAVS does not support), it must be tested using ACVTS. Two clarifications:
- If a CAVS submission would require special processing, e.g., a request from the vendor/lab that failing test results be ignored because the implementation under test does not support certain input parameter lengths, but ACVTS handles the case natively, ACVTS must be used.
- If a FIPS 140-2 IG indicates that vendor affirmation is applicable for a particular Approved algorithm (and the IG transition end date has not passed), the vendor may choose either to test using ACVTS or vendor affirm.
- Because we recommend algorithm validation testing using the ACVTS and wish to encourage its use as early as possible, we have decided:
- To move the start date for cost recovery billing for ACVTS to 1 July 2020. That is, algorithm validations using ACVTS will be free up until the CAVS retirement date.
- From 1 January 2020 until 30 June 2020, CAVS submissions will only be accepted from CST labs that have valid credentials on the ACVTS Prod server. CST labs should go through the process of obtaining ACVTS Prod server credentials as soon as possible. To summarize the phases of CAVS test submission:
- Until 31 Dec 2019: CAVS submissions accepted
- 1 Jan 2020 to 30 Jun 2020: CAVS submissions accepted only if submitting lab has ACVTS Prod server credentials
- Beginning 1 Jul 2020: CAVS submissions not accepted
Please let me know if you have questions on any of the above.
Tim Hall, CAVP Program Manager