The Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) were established on July 17, 1995 by NIST to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1.
The current implementation of the CMVP is shown in Figure 1 below. The CAVP is a prerequisite for CMVP. The CAVP and CMVP leverage NVLAP-accredited Cryptographic and Security Testing (CST) laboratories for testing cryptographic algorithms with CAVP and validation testing against the Derived Test Requirements (DTR), Implementation Guidance (IG), and applicable CMVP programmatic guidance. According to existing guidance, the CST laboratories must perform 100% independent testing of the modules submitted by the vendors.
Figure 1: Current implementation of the CMVP
In the flows of the process under which the CMVP operates, shown below, there is no interaction between the CMVP and module vendors. All CMVP communications are with the testing laboratories.
The structure and the rules under which the CAVP and CMVP operate worked well for the level of the technology utilized by the Federal Government at the time when the programs were created more than two decades ago. As technology has advanced however, the algorithm and module testing processes no longer satisfy current day industry and government operational needs. Testing and validation of test results are exceedingly long, well beyond typical product development cycles across a wide range of technologies. Because of the human effort involved in all stages of this process, the possibility for subjectivity and errors is high. Moreover, the resulting validated modules do not provide useful interfaces for integration into IT systems to enable run-time monitoring of modules for compliance with FISMA.
NIST recognizes the need to improve the efficiency and effectiveness of cryptographic module testing in order to reduce the time and cost required for testing while providing a high level of assurance for Federal government consumers.
The principal goals of this project are to collaborate with commercial or open source producers of cryptographic capabilities and government consumers of FIPS 140 validated modules in order to:
The scope of this project is broken into multiple phases.
Phase 1
Phase 2
Phase 3
Phase 4
Security and Privacy: cryptography, testing & validation