Let’s start at the top: NIST is the National Institute of Standards and Technologies, a US government agency that promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology. CAVP is the NIST Cryptographic Algorithm Validation Program, which is part of the NIST certification effort for cryptographic components. The NIST test system uses the Automated Cryptographic Validation Protocol, or ACVP, to communicate the capabilities of the components to the NIST Automated Cryptographic Validation Test System (ACVTS) server, receive test vectors, send the responses and receive the result. Whew! Still with me?
Before you write all of this off as so much “acronym soup,” it’s important to know that this national, self-service, cryptographic-algorithm testing system performs an important function for the entire supply chain. This system helps assure that devices that contain cryptographic components will function as they should. Virtually every device on the internet of things (IoT) has a cryptographic component. Having the server and testing protocols available from an agency such as NIST makes testing and certification easier and more reliable for any device that needs Federal Information Processing Standard (FIPS) validation. The ACVP testing is a critical condition for passing the final FIPS 140-2, or the newer FIPS 140-3, certification process.
The ACVP replaces the Cryptographic Algorithm Validation System (CAVS), which was retired on 30 June 2020, and is designed to accelerate the validation process for vendors. The ACVP, as a self-serve testing system, reduces the role of a National Voluntary Laboratory Accreditation Program (NVLAP)-accredited Cryptographic and Security Testing (CST) Laboratory in the tedious and repetitive algorithm testing stage. Vendors still have to qualify, apply for and receive credentials, as well as learn the platform and execute testing. However, once they are up and running, they