Key Takeaways
- NIST’s National Cybersecurity Center of Excellence (NCCoE) has released a draft practice guide (NIST SP 1800‑40) advocating automation of the Cryptographic Module Validation Program (CMVP) to alleviate chronic delays.
- The Automated Cryptographic Module Validation Project (ACMVP) builds on earlier automation wins—such as the Cryptographic Algorithm Validation Program (CAVP) and WebCryptik—to create a cloud‑native, server‑client framework for faster, more consistent validation.
- Three coordinated workstreams—Test Evidence, Protocol, and Research Infrastructure—standardize evidence classification, define submission interactions, and modernize the underlying lab environment.
- Early results show reduced reviewer overhead, built‑in completeness checks, and a scalable infrastructure that can be extended to hardware modules, CVE‑only submissions, and operating‑environment updates.
- Public comment is open until June 1, 2026; stakeholder input will shape the final guidance that could become a baseline requirement for regulated and critical‑infrastructure sectors.
Introduction
The U.S. National Institute of Standards and Technology (NIST) is confronting a growing mismatch between the rapid pace of cryptographic innovation and the ability of its Cryptographic Module Validation Program (CMVP) to certify new modules in a timely manner. To address this bottleneck, NIST’s National Cybersecurity Center of Excellence (NCCoE) has issued a draft practice guide, NIST SP 1800‑40: Automation of the NIST Cryptographic Module Validation Program, which outlines how automation could transform the long‑standing, document‑intensive validation workflow. The guide is open for public comment through June 1, 2026, signaling a deliberate effort to gather industry feedback before any formal changes are adopted.
Purpose of the Automated Cryptographic Module Validation Project
The core objective of the Automated Cryptographic Module Validation Project (ACMVP) is to improve the efficiency and timeliness of CMVP operations without compromising the assurance that validated modules provide. This effort builds on prior automation successes within the CMVP ecosystem, including the full automation of the Cryptographic Algorithm Validation Program (CAVP), the rollout of WebCryptik for submitting test results, and the automation of entropy‑source evidence processing for the Entropy Source Validation (ESV) program. By extending automation to the broader validation pipeline, NIST aims to create a scalable model that can keep up with accelerating product cycles and rising security expectations.
Pressure on the Existing Validation Pipeline
Historically, CMVP was designed to ensure that cryptographic modules meet stringent security requirements stipulated in FIPS 140‑3 and its supporting standards. However, the program has struggled to keep pace with a surge in submissions driven by faster product release cycles and increasingly complex implementations—spanning software, firmware, and hardware across security levels 1‑4. NIST’s proposal identifies structured test evidence, standardized submission protocols, and upgraded computing infrastructure as key levers to reduce processing delays while preserving the rigor of validation outcomes.
Draft Guidance: Automation and Cloud‑Native Shift
The draft guidance details a shift toward automation across both testing and validation workflows, coupled with a transition from legacy on‑premises systems to a cloud‑native architecture. The NCCoE argues that this approach can accelerate timelines, improve consistency, and increase transparency in how modules are evaluated. If adopted, the framework would provide testing laboratories, technology vendors, and validation authorities with a more scalable path to certification—crucial as validated cryptography becomes a baseline requirement in regulated industries and critical‑infrastructure sectors.
Alignment with FIPS 140‑3 and ISO/IEC 24759
ACMVP is designed to enable automated review of test reports wherever possible across the requirements defined in FIPS 140‑3 and ISO/IEC 24759, which together underpin the CMVP framework. These standards combine functional and non‑functional security requirements, shaping how modules are tested and validated. By mapping automation efforts directly to these specifications, NIST ensures that any streamlined process remains fully compliant with the existing security baseline.
Overview of the Three Coordinated Workstreams
To operationalize the vision, the project is structured into three interrelated workstreams involving accredited laboratories, vendors, and validation authorities: Test Evidence (TE), Protocol, and Research Infrastructure. Each stream addresses a distinct facet of the validation lifecycle—classifying and filtering requirements, defining submission interactions, and modernizing the supporting lab environment—while collectively driving measurable improvements toward a more efficient CMVP.
Test Evidence Workstream: Classifying and Filtering Requirements
The TE Workstream focuses on streamlining FIPS 140‑3 validation by classifying and filtering individual requirements so that the ACMVP server can automatically identify relevant test evidence, eliminate redundancy, and support a scalable validation framework. Rather than leaving applicability judgments to individual reviewers, applicability is determined through centralized community consensus. This structured approach enables the TE Filter to automate applicability decisions, reducing reviewer overhead and allowing human experts to concentrate on requirements that resist automation.
Protocol Workstream: Defining Submission Interactions
Drawing inspiration from the Automated Cryptographic Validation Protocol (ACVP), the Protocol Workstream defines the interactions between the CMVP server and ACMVP clients. It supports full module submissions—including capability descriptions, FIPS 140‑3 requirement mapping, and security policy generation—and integrates with existing tools such as WebCryptik and the CMVP’s internal policy builder to ensure consistent documentation. Two key outputs are slated for production deployment: (1) a server‑side front door that performs built‑in completeness and accuracy checks, allowing labs to resolve issues before they become reviewer comments; and (2) a Requirements Library, packaged as a NuGet package, which tracks all FIPS 140‑3 requirements for internal CMVP developers.
Research Infrastructure Workstream: Modernizing the Lab Environment
The Research Infrastructure Workstream has modernized the CMVP’s cloud‑based supporting infrastructure through iterative development, progressively adopting cloud‑native services to enhance scalability, portability, and security. The resulting architecture is a containerized application compatible with both Windows and Linux, featuring a managed database service, a fully automated CI/CD pipeline, and modernized authentication via an AWS Network Load Balancer. Close collaboration with the production CMVP team has accelerated infrastructure modernization, with cloud‑native technologies now being deployed alongside NIST’s Infrastructure and Security teams. This approach offers a replicable model for modernizing services across NIST and the wider industry.
Findings and Recommendations for Future Work
The NIST document includes several findings and recommendations. The TE Workstream established a structured method for categorizing test evidence by security level and module type, enabling targeted filtering that improves validation efficiency without lowering security standards. By automating applicability decisions, reviewers can focus exclusively on requirements that resist automation. Additionally, communities such as the CMUF may further streamline automation by defining standardized test procedures for specific test evidence, yielding scripted, pre‑formatted outputs that conform to the ACMVP protocol. Future work includes extending support to additional submission types (e.g., CVE‑only submissions or operating‑environment updates) and enhancing WebCryptik to facilitate the construction of ACMVP evidence payloads.
Extended Scope: From Software to Hardware Modules
Although the initial focus of ACMVP was on software‑based cryptographic modules, the project has deliberately expanded to cover both software and hardware modules across security levels 1‑4. The standardized evidence format and protocol are designed to be agnostic to the underlying technology, allowing the same automation principles to apply to firmware, secure elements, and hardware security modules. This broadening ensures that the benefits of automation—speed, consistency, and reduced manual effort—can be realized across the full spectrum of cryptographic implementations that federal and regulated entities rely upon.
Implications for Vendors, Labs, and Federal Compliance
If the draft guidance is finalized, vendors will gain a clearer, more predictable pathway to certification, reducing time‑to‑market for new cryptographic products. Testing laboratories will benefit from automated pre‑checks that catch submission errors early, decreasing the iteration cycles with reviewers. Federal agencies and contractors that depend on CMVP validation for compliance will see faster turnaround times for approved modules, helping them meet stringent procurement timelines and adapt swiftly to emerging threats. Moreover, the transparency introduced by automated checks and standardized reporting could improve auditability and trust in the validation process.
Conclusion
NIST’s move to automate the Cryptographic Module Validation Program reflects a strategic recognition that manual, document‑heavy validation models are no longer sustainable in an era of rapid cryptographic innovation. Through the ACMVP initiative—structured around Test Evidence, Protocol, and Research Infrastructure workstreams—NIST aims to deliver a cloud‑native, scalable framework that accelerates processing, enhances consistency, and preserves the rigorous assurance that CMVP certifications provide. Stakeholder feedback collected during the public comment period (through June 1, 2026) will be instrumental in shaping the final guidance, potentially establishing automation as the new baseline for cryptographic module validation across regulated and critical‑infrastructure domains.