The Cryptographic Module Validation Program (CMVP) is a part of the National Institute of Standards and Technology (NIST) which operates under the Department of Commerce. The CMVP’s role is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules, this primarily occurs through management and oversight of the testing required as part of the FIPS 140-2 / FIPS 140-3 validation standards.
The CMVP is currently experiencing longer than usual evaluation periods within the FIPS 140 programs. To rectify and hopefully assist in shortening those wait times, the CMVP is looking to automate processes and procedures related to the evaluation and testing of these cryptographic modules.
To support this newly identified objective, the CMVP has developed a draft document which outlines assumptions, challenges, current architectures, requirements, and guidance. The ultimate goal is to identify ideas and recommendations on how to automate some of the more tedious and manual elements of the FIPS 140 evaluation process. Specifically stating they hope to improve efficiencies and timelines within CMVP operations.
Some of the current challenges outlined include:
- An increase in complex modules being evaluated
- A lack of human resources to address the influx in evaluations
- Insufficient information/documentation submissions
- Operating Environment Updates
This is not the first time the CMVP has turned to automation, as they recently implemented a change to the methods for testing algorithms within the Cryptographic Algorithm Validation Program (CAVP). Read more about that transition here.
Although the effects of such an effort are not expected to make an impact in the near term, it is a positive sign that the CMVP is actively trying to improve things in the long run.
Contact Corsec to ask questions, discuss a project, or gain more insight on this post.