Date Published: April 15, 2026
Comments Due:
Email Comments to:
Author(s)
Chris Celi (NIST), Alexander Calis (NIST), Murugiah Souppaya (NIST), William Barker (NIST), Karen Kent (Trusted Cyber Annex), Shawn Geddis (Katalyst), Raoul Gabiam (MITRE), Stephan Mueller (atsec), Yi Mao (atsec), Barry Fussell (Cisco), Andrew Karcher (Cisco), Douglas Boldt (AWS)
Announcement
The NIST Cryptographic Module Validation Program (CMVP) is essential for organizations required to use validated cryptography – ensuring that hardware and software cryptographic implementations meet standard security requirements. The NCCoE has published the draft NIST SP 1800-40, Automation of the NIST Cryptographic Module Validation Program, to demonstrate how structured test evidence, standardized submission protocols, and modernized computing infrastructure can streamline the submission and review process. This publication is open for public comment through June 1, 2026.
Background
NIST established the CMVP to ensure that hardware and software cryptographic implementations conform to specified security requirements. Since CMVP was established, the volume, complexity, and speed-to-market of cryptographic modules seeking validation have steadily increased. The rapid pace of innovation is exceeding the capacity of vendors, labs, and validation authorities to keep up with testing and validation.
The NCCoE, in collaboration with the CMVP, is demonstrating the value of automation to improve the efficiency and timeliness of CMVP operations and processes. This publication provides details on the modernization effort, including automation of the testing and validation process, demonstration of protocols to accept and process module validation submissions, and an overview of the infrastructure changes to shift from an on-premises architecture to a cloud-native platform. This publication is intended to help testing labs, technology producers, and validation authorities streamline the validation process while maintaining and improving assurance levels.
Comment Now!
We encourage you to download the publication and submit your feedback by June 1, 2026. While no further publication updates are planned, the team invites users to provide feedback on the areas where clarification might be beneficial. If you have any questions, you can reach out to the team at [email protected].
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. Historically, the CMVP validation review process has struggled to keep pace with the volume of cryptographic modules and accelerated software release cycles, contributing to delays in validation timelines. The NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to explore how automation can improve the efficiency and timeliness of CMVP operations and processes. The project demonstrates how structured test evidence, standardized submission protocols, and supporting modernized computing infrastructure can streamline the submission and review of validation artifacts.
This publication describes the approaches and tools demonstrated by the ACMVP team. The publication describes the results of an ACMVP Test Evidence (TE) Workstream and Protocol Workstream, as demonstrated in a laboratory environment developed by the project’s Research Infrastructure Workstream. The combined impact of these workstreams is intended to provide automation improvements to improve submission quality and enable a more efficient CMVP review process.
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. Historically, the CMVP...
See full abstract
The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. Historically, the CMVP validation review process has struggled to keep pace with the volume of cryptographic modules and accelerated software release cycles, contributing to delays in validation timelines. The NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to explore how automation can improve the efficiency and timeliness of CMVP operations and processes. The project demonstrates how structured test evidence, standardized submission protocols, and supporting modernized computing infrastructure can streamline the submission and review of validation artifacts.
This publication describes the approaches and tools demonstrated by the ACMVP team. The publication describes the results of an ACMVP Test Evidence (TE) Workstream and Protocol Workstream, as demonstrated in a laboratory environment developed by the project’s Research Infrastructure Workstream. The combined impact of these workstreams is intended to provide automation improvements to improve submission quality and enable a more efficient CMVP review process.
Hide full abstract
Keywords
Automated Cryptographic Module Validation Project (ACMVP); Cryptographic Module Validation Program (CMVP); cryptography; cryptographic module; cryptographic module testing; cryptographic module validation
Control Families
None selected
