At the beginning of each fiscal year (FY), NIST CMVP prepares a budget justification for the NIST Cost Recovery fees for the following fiscal year. The NIST Budget office reviews the information and is the approver for the final NIST Cost Recovery fees for the following fiscal year.
The NIST Cost Recovery fees for FY17 and FY18 are (see Implementation Guidance (IG) G.8 for an explanation of the different scenarios):
CR=Cost Recovery: for new module submissions.
ECR=Extended Cost Recovery: for reports that are deficient. Report deficiencies vary in severity; some are due to technicalities, such as incompleteness or missing documentation, while more serious deficiencies are due to security-related nonconformities.
NIST Cost Recovery (CR) is levied on all 1A, 1B, 3 and 5 submissions. IG G.16 allows laboratories the option to request an invoice while they are finalizing the report for submission to CMVP. Once the CR processes begins, changes to the overall security level and submission type will not be accepted. Only unpaid invoices can be cancelled. When the invoice is paid, there are no refunds.
If a report has not been received by 90 days after the invoice request was accepted, the module will be moved to On Hold and removed from the Implementation Under Test (IUT) list. The module can be automatically removed from On Hold and placed on the Modules In Process (MIP) list by sending the report. No additional fees are invoiced to remove the module from On Hold.
Security and Privacy: testing & validation