Site icon

NVLAP and Cryptographic Testing

The National Voluntary Laboratory Accreditation Program (NVLAP) handles lab and testing requirements for several categories of products and services, several within cybersecurity. One of the most important categories is cryptographic testing and validation. 

 

NVLAP and Cryptographic Testing

One of the testing and validation programs managed by the NVLAP is one related to cryptographic modules as outlined by the National Institute of Standards and Technology (NIST). To align lab standards with technical requirements, NVLAP defers its standards for lab testing to two different programs–namely, the Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP). 

NIST requires that cryptographic modules be tested and validated along specific guidelines to ensure they protect data sufficiently. NVLAP (along with CAVP and CMVP) ensures that testing facilities can adequately test for the various requirements throughout the NIST specification.

Why do cryptographic modules need to be tested? At a minimum, they must be:

 

What Is the Cryptographic Algorithm Validation Program (CAVP)?

CAVP is the testing program that addresses minimum security requirements for the encryption algorithms used inside modules. Because there are several different algorithms, each accomplishing a different task or function, several relevant testing approaches are based on each category. Additionally, because NIST uses a standardized set of approved algorithms, it only tests for those particular systems.

The current algorithm tests include:

 

What Is the Cryptographic Module Validation Program

In addition to testing encryption algorithms, NIST also supports the CMVP program to test and validate comprehensive modules (which may include the algorithm, other software, hardware, etc.). 

The CMVP process functions as a larger flow chart where a vendor-specific module is tested and verified by an accredited Cryptographic and Security Testing (CST) lab. The process, broadly, follows a few steps:

  1. Submission of Module: A vendor submits the module to the accredited CST lab (following testing requirements set by the CMVP program and NVLAP lab management and testing standards. 
  2. Testing: The lab creates a set of Derived Test Requirements (DST) based on the components and function of the module. These DSTs are derived from requirements spelled out in FIPS 140. Once testing is complete, the lab creates a cryptographic module test report and submits it to the CMVP.
  3. Validation: Validation can be an interactive process. If the vendor’s module does not meet testing standards, the CMVP can coordinate comments between the lab and the vendor and restart the testing process. The module is confirmed into the FIPS 140 standard if it passes inspection. 
  4. Listing: Validated and the NIST lists in-process modules to help agencies and developers trust the cryptographic modules that they use. 

 

Utilize Proper Cryptography Standards with Continuum GRC

With the evolving set of cyber threats and vulnerabilities, it’s essential to have strong encryption spearheading security. That’s why the developers and the end-users of cryptographic technologies need to understand standards, requirements, and validation processes. 

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

 

Exit mobile version