NIST CSWP 37A Automation of the Cryptographic Module Validation Program

NIST Publications

Published March 16th, 2026

Detected March 19th, 2026

Summary

NIST has published CSWP 37A, detailing the automation of the Cryptographic Module Validation Program (CMVP). This white paper reports on the progress of the Automated Cryptographic Module Validation Project (ACMVP) and outlines planned next steps for improving the efficiency of FIPS 140-3 validation processes.

View original document View source feed page

What changed

NIST has released Cybersecurity White Paper (CSWP) 37A, which details the progress and future plans for the Automated Cryptographic Module Validation Project (ACMVP). The ACMVP aims to automate the testing and reporting of cryptographic module implementations against FIPS Publication 140-3 requirements, thereby enhancing the efficiency and timeliness of the Cryptographic Module Validation Program (CMVP). This report covers progress up to September 2024 and outlines subsequent steps.

This publication serves as guidance for technology companies and manufacturers involved in cryptographic module validation. While it does not impose new direct compliance obligations, it informs stakeholders about NIST's efforts to streamline the validation process. Organizations may wish to familiarize themselves with the ACMVP's goals and potential future reporting protocols as the project progresses. No specific compliance deadlines or penalties are mentioned in this status report.

Source document (simplified)

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

NIST CSWP 37A Automation of the NIST Cryptographic Module Validation Program

Published

March 16, 2026

Author(s)

Christopher Celi, Alexander Calis, Murugiah Souppaya, William Barker, Karen Kent, Raoul Gabiam, Yi Mao, Barry Fussell, Andrew Karcher, Douglas Boldt

Abstract

The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols. This is a status report of progress made with the ACMVP project up through September 2024 and the planned next steps. Subsequent reports will cover updates post-September 2024. Citation NIST Cybersecurity White Papers (CSWP) - 37A Report Number 37A Pub Type NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.CSWP.37A Local Download

Keywords

Automated Cryptographic Module Validation Project (ACMVP), Cryptographic Module Validation Program (CMVP), cryptography, cryptographic module, cryptographic module testing, cryptographic module validation Cryptography and Conformance testing

Citation

Celi, C.
, Calis, A.
, Souppaya, M.
, Barker, W.
, Kent, K.
, Gabiam, R.
, Mao, Y.
, Fussell, B.
, Karcher, A.
and Boldt, D.

(2026),
NIST CSWP 37A Automation of the NIST Cryptographic Module Validation Program, NIST Cybersecurity White Papers (CSWP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.CSWP.37A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=960765       
  (Accessed March 18, 2026)