The recent personnel reductions at NIST—following the “Fork in the Road” policy—have marked a turning point for the cryptographic validation community. With key leaders stepping away (Cybersecurity Dive article) and resources tightening, atsec is convinced that the urgency to modernize and scale the FIPS validation process has never been more clear and critical.
The Automated Cryptographic Module Validation Program (ACMVP)— a joint initiative led by NIST’s National Cybersecurity Center of Excellence (NCCoE)—was once considered a future enhancement to the FIPS validation process. That future is arriving faster than expected. At last month’s International Cryptographic Module Conference (ICMC) in Toronto, the NCCoE team hosted an ACMVP Project Update Panel, and NIST’s Computer Security Division presented a roadmap for integrating ACMVP into the CMVP. (You can view the session here.)
Remarkably, even since that announcement, the timeline has accelerated. We’re excited to share that the ACMVP demo server is now live and open to all stakeholders—no Cooperative Research and Development Agreement (CRADA) or lab accreditation required. This marks a rare opportunity for vendors, labs, and reviewers to directly engage with the next generation of FIPS validation.
Barry Fussell, Principal Engineer Cisco Systems and a long-time contributor to the NIST’s automation endeavor, commended the work done: “Unlike the ACVP project, from the very start of the NCCoE ACMVP project it was very clear there was official commitment both from NIST as well as the industry. While the testing results are not instantaneous like ESV or ACV, that was never our intention. Our goals centered on evidence uniformity and completeness. As those goals were met, it is great to hear that CMVP has accelerated the ACMVP productization. We look forward to continued industry feedback as well as increased efficiencies as production rollout occurs. Thanks to all those that participated and made this happen!”
Courtney Maatta, the project manager of the ACMVP project from Amazon Web Services, also praised the amazing work done over the years, saying “The ACMVP team has truly been an impactful collaboration effort, and we are excited for this latest demo server release and further progress towards automation of the CMVP. We hope to continue to work together with the NCCOE joint team to modernize and improve critical cybersecurity programs.”
Tackling the Backlog Through Automation
The FIPS 140-3 validation process has long suffered from inefficiencies—lengthy documentation, multi-phase reviews, and manual coordination—all of which slow the delivery of certified cryptographic modules.
Since 2022, atsec has played a central role in the ACMVP project, co-leading the Test Evidence (TE) Workstream with the CMVP in the past and with Katalyst LLC this year, and contributing to:
- TE Classification – Structuring evidence using defined categories
- TE Filtering – Tailoring evidence requirements based on module configuration
- Structured Reporting – Designing machine-readable formats for test reports and security policies
These advances were featured at ICMC 2024 and 2025. While deployment was initially expected 18 months after project completion in September 2025, the timeline has accelerated. The ACMVP is ready for trial now.
atsec has verified that access to the demo server is smooth and familiar—comparable to the ACVT and ESV demo environments. We’re pleased to share our positive experience engaging with the platform.
Highlights from the ACMVP Demo Server
The current ACMVP demo server supports a structured and interactive validation workflow:
- Upon registration, the server gathers the module’s declared capabilities and intended FIPS level.
- Based on this, it auto-generates a customized list of applicable TEs, helping both labs and reviewers align early on.
- TEs deemed irrelevant are excluded from the assessment, saving time and effort.
During testing:
- Labs can upload TEs incrementally and edit them as needed—even after submission—allowing for targeted updates during review without resubmitting the full package.
- The server cross-checks ACVP and ESV certificates against NIST databases and aligns all data with the SP JSON submission.
- The final SP PDF is automatically generated from the structured JSON data, ensuring consistent formatting, and simplifying the review process.
This machine-readable framework also opens the door for labs to build their own automation tools—streamlining workflows and reducing human error.
Thanks to the Protocol Workstream of the ACMVP, you can find the demo access instructions here.
How You Can Participate
We encourage labs, vendors, and community members to:
- Explore the ACMVP demo environment
- Review the JSON-based SP and Evidence Catalog formats
- Begin aligning internal tooling with ACMVP’s future workflows
- Provide feedback directly to the ACMVP project team (applied-crypto-testing@nist.gov)
atsec’s Commitment
atsec remains fully committed to the success of the ACMVP. We will continue co-leading the TE Workstream and contributing to the automation playbook, data formats, and community guidance through the project’s scheduled completion in September 2025.
The cryptographic community faces a moment of transition—and opportunity.
Let’s shape the future of FIPS validation together.
