The U.S. National Institute of Standards and Technology (NIST) is moving to modernize one of the most critical bottlenecks in applied cryptography. Through its National Cybersecurity Center of Excellence (NCCoE), the NIST released a draft practice guide, NIST SP 1800-40: Automation of the NIST Cryptographic Module Validation Program, outlining how automation could reshape long-strained Cryptographic Module Validation Program (CMVP). The document is open for public comment through June 1, 2026, signaling a push to gather industry input before formalizing changes that could affect vendors, testing labs, and federal compliance regimes.
The intent of the Automated Cryptographic Module Validation Project (ACMVP) is to support improvement in the efficiency and timeliness of CMVP operations and processes. The NCCoE effort builds on other automation initiatives within the CMVP ecosystem, such as completion of the automation of the Cryptographic Algorithm Validation Program (CAVP); rollout of WebCryptik, an application for submitting test results to the CMVP; and the automation of entropy data testing evidence processing for the Entropy Source Validation (ESV) program. The initiative will provide mechanisms for the structural presentation of testing evidence by NVLAP-accredited parties to facilitate automation of evidence validation by the CMVP.
The move reflects a broader recalibration inside NIST as it confronts the widening gap between cryptographic innovation and the capacity to certify it. By formalizing automation within CMVP operations, the agency is effectively signaling that manual, document-heavy validation models are no longer sustainable in an era defined by rapid deployment cycles and rising security expectations.
At the center of the effort is a recognition that the current validation pipeline is under pressure. Originally designed to ensure cryptographic modules meet strict security requirements, CMVP has struggled to keep pace with a surge in submissions driven by faster product cycles and increasingly complex implementations. NIST’s proposal points to structured test evidence, standardized submission protocols, and upgraded computing infrastructure as key levers to reduce delays without compromising assurance.
The draft guidance details a shift toward automation across testing and validation workflows, paired with a transition from legacy on-premises systems to a cloud-native architecture. The NCCoE argues this approach can accelerate processing timelines while improving consistency and transparency in how modules are evaluated. If adopted, the framework would give testing laboratories, technology vendors, and validation authorities a more scalable path to certification at a time when validated cryptography is becoming a baseline requirement across regulated and critical infrastructure environments.
The ACMVP is designed to enable automated review of test reports wherever possible across the requirements defined in FIPS 140-3 and ISO/IEC 24759, which underpins the framework. These standards combine both functional and nonfunctional security requirements, shaping how modules are tested and validated.
The initiative focuses on streamlining test methods for specific technology classes, including software-based modules, while improving how functional and non-functional requirements are reported. A key objective is to demonstrate a suite of tools capable of modernizing and automating what has traditionally been a manual and time-intensive review process.
The project has been structured across three coordinated workstreams involving accredited laboratories, vendors, and validation authorities. The Test Evidence workstream examines how individual requirements are classified and assessed by labs and reviewers. The Protocol workstream has developed server and client implementations to handle validation submissions more efficiently. Meanwhile, the Research Infrastructure workstream has built the supporting lab environment required to run these systems. Together, these efforts are driving measurable improvements in automation across the CMVP, pointing toward a more scalable and efficient validation model.
The project develops tools to modernize and automate manual review processes within the existing CMVP framework, enabling accredited labs to make full module submissions. It covers both technical testing evidence and the construction of security policy documents required for final validation certificates. Using a server/client model, labs can submit reports incrementally, with automated review occurring before formal CMVP submission.
Its scope encompasses standard functional test methods, full reporting of applicable security requirements, a NIST-hosted cloud infrastructure, and a protocol for generating and validating standardized evidence from operational testing. Although initially focused on software modules, the project expanded to cover both software and hardware modules across security levels 1 through 4. Future phases may extend automation to other submission types, such as CVE-only submissions or additions of operating environments to existing validations.
The project was organized into three workstreams covering Test Evidence (TE), Protocol, and Research Infrastructure. The TE Workstream streamlines FIPS 140-3 validation by classifying and filtering requirements so the ACMVP server can identify relevant test evidence, reduce redundancy, and support a more scalable, automated validation framework. Applicability of requirements is determined through centralized community consensus rather than left to individual reviewer judgment.
The Protocol Workstream defines interactions between the CMVP server and ACMVP clients, drawing inspiration from the Automated Cryptographic Validation Protocol (ACVP). It supports full module submissions, including capability descriptions, FIPS 140-3 requirement mapping, and security policy generation, and integrates with WebCryptik and the CMVP’s internal policy builder to ensure consistent documentation.
The Research Infrastructure Workstream modernized the CMVP’s cloud-based supporting infrastructure through iterative development, progressively adopting cloud-native services to improve scalability, portability, and security. The result is a containerized application compatible with both Windows and Linux, featuring a managed database service, a fully automated CI/CD pipeline, and modernized authentication via AWS Network Load Balancer. Together, these workstreams deliver meaningful automation and operational improvements to the CMVP.
The NIST document provided findings and recommendations for future work. The TE Workstream established a structured approach to categorizing Test Evidence by security level and module type, enabling targeted filtering that improves validation efficiency without compromising security standards. By automating applicability decisions through the TE Filter, reviewer overhead is reduced, enabling reviewers to focus only on requirements that resist automation, without needing to assess applicability themselves.
The CMVP is evaluating how the newly collected assurances will shape future module reviews. Communities such as the CMUF may further streamline automation by defining standardized test procedures for specific TEs, enabling scripted, pre-formatted outputs that conform to the protocol.
The Protocol Workstream demonstrated how a well-structured payload can be processed to deliver instant feedback on submission completeness. Two key outputs are being integrated into the production CMVP environment. First, the server will serve as a new front door for CMVP submissions, performing built-in completeness and accuracy checks so labs can resolve issues before they become reviewer comments. Second, the Requirements Library, an excerpt of the TE Filter implementation, has been packaged as a NuGet package for internal use by CMVP developers, tracking all FIPS 140-3 requirements. Future work includes support for additional submission types affecting existing validations and updates to WebCryptik to support ACMVP evidence payload construction.
The Infrastructure Workstream took an iterative approach to modernizing the CMVP’s supporting infrastructure, achieving operational efficiency, portability, reproducibility, and CI/CD integration while meeting production security requirements. Close collaboration with the production CMVP team has accelerated infrastructure modernization, with cloud-native technologies now being implemented in the production environment alongside NIST’s Infrastructure and Security teams. The approach is broadly applicable beyond CMVP, offering a replicable model for modernizing infrastructure and services across NIST and the wider industry.
Last September, the NIST released a draft white paper on automating the CMVP effort, which seeks to speed up and streamline CMVP operations. The CMVP validates whether third-party cryptographic modules meet the requirements of FIPS 140-3, Security Requirements for Cryptographic Modules.
