Update on the Automated Cryptographic Validation Program (ACVP) (C12a)
The Cryptographic Module Validation Program (CMVP) was established on July 17, 1995 by the National Institute of Standards and Technology (NIST) to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1. The structure and the rules under the CMVP reflect the level of the technology utilized by the US Federal Government at the time when the program was created. As technology has advanced however, the cryptographic module testing process no longer satisfies current day industry and government operational needs. Testing is exceedingly long, well beyond typical product development cycles across a wide range of technologies.
We also live in times of unprecedented levels of threats and exploits that require frequent product updates to fix defects and remove security vulnerabilities, which doesn’t fit in the current model.
In 2015 NIST together with the industry embarked on modernizing the crypto validation programs at NIST through automation. In this panel the speakers will provide an update of the current progress, share some of the successes and remaining challenges.
In particular, they will discuss the recently developed criteria for participation in the automated programs for technology companies and laboratories. The panel will explore the possibilities for automating the generation and review of test artifacts to replace manual procedures and increase the agility and bandwidth of the validation program in the different sectors of the technology space, from established software and hardware vendors who have long participated in the NIST cryptographic validation programs to vendors of web services and virtualization who have not been able to participate due to the limitations of the existing programs.