Technology Services, National Voluntary Laboratory Accreditation Program, NIST Go to Technology Services Home Page Go to NIST Home Page Go to National Voluntary Laboratory Accreditation Program Home Page Go to Directory of Accredited Laboratories Go to Fields of Accreditation Go to Publications/Applications Go to Mutual Recognition Arrangements Go to Assessor Resources Contact National Voluntary Laboratory Accreditation Program




Cryptographic and Security Testing

The Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP), initially named Cryptographic Module Testing (CMT), was established by the National Voluntary Laboratory Accreditation Program (NVLAP) to accredit laboratories that perform cryptographic algorithms and cryptographic modules validation conformance testing. As the LAP expanded in 2006 and 2007 and offered additional security scopes of accreditation, the name was changed to Cryptographic and Security Testing (CST). However, references on the web or older documents to this LAP under the obsolete nomenclature might still exist.

The National Institute of Standards and Technology, Information Technology Laboratory (NIST/ITL), initially requested establishment of this LAP to accredit laboratories that conformance test cryptographic modules under the Cryptographic Module Validation Program (CMVP). As the CMVP expanded, a new program was developed to encompass the validation of all FIPS-approved and NIST-recommended cryptographic algorithms. Laboratory accreditation for the Cryptographic Algorithm Validation Program (CAVP) was added to CST as a prerequisite to CMVP accreditation in July 1995.

In response to HSPD 12 of August 2004, the NIST Computer Security Division (NIST/CSD) initiated a new program for improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems. Federal Information Processing Standard (FIPS) 201 (201-1), entitled Personal Identity Verification of Federal Employees and Contractors, was developed to satisfy the requirements of HSPD 12, approved by the Secretary of Commerce, and issued on February 25, 2005. Later that year, NIST established the NIST Personal Identity Verification Program (NPIVP) to validate Personal Identity Verification (PIV) components required by FIPS 201. NVLAP added the PIV Test Methods to the CST LAP on April 2006.

In 2007, the U.S. General Services Administration (GSA) requested that NVLAP add the test methods defined in the GSA FIPS 201 Evaluation Program (GSA EP) to its CST LAP, building upon NPIVP test methods for which laboratories could already attain accreditation. The GSA FIPS 201 Evaluation Program requires NVLAP accreditation on this set of test methods referred to as GSA Precursor (GSAP) as a prerequisite for all laboratories seeking to become a GSA FIPS 201 Testing Laboratory.

In response to the Office of Management and Budget (OMB) Memorandum 07-18 of July 31, 2007, the NIST Computer Security Division (NIST/CSD) initiated a new program for validating the implementation of the Security Content Automation Protocol (SCAP) standards within security software modules. This Program became part of the CST LAP in December of 2007 to meet the needs defined by the Office of Management and Budget (OMB) in Memorandums 07-11 and 07-18.

All of the tests for the CMVP, CAVP, NPIVP, GSA, and SCAP are handled by third-party laboratories that are accredited as Cryptographic and Security Testing (CST) laboratories by NVLAP. However, each laboratory is accredited for a suite of specific test methods derived from the elected scopes of accreditation the laboratory applied for and not necessarily for all the test methods offered under the CST LAP as a whole. Vendors interested in validation testing of their products should study the NVLAP Directory of Accredited Laboratories with respect to which scope(s) each laboratory has been accredited.

To meet the laboratories' needs, NVLAP currently offers several compound scopes of accreditation, as listed below:

  • Basic Cryptographic Security Testing (17BCS)
    • Cryptographic Algorithm Validation Testing (17CAV)
      • Cryptographic Modules – Software 1 Testing (17CMS1) (Security Levels 1 to 3)
        • Cryptographic Modules – Software 2 Testing (17CMS2) (Security Levels 4 and above)
      • Cryptographic Modules – Hardware 1 Testing (17CMH1) (Security Levels 1 to 3)
        • Cryptographic Modules – Hardware 2 Testing (17CMH2) (Security Levels 4 and above)
    • Personal Identity Verifier Testing (17PIV)
      • GSA FIPS 201 Testing (17GSA)
    • Security Content Automation Protocol Testing (17SCAP)

An understanding of Basic Cryptographic and Security Testing (17BCS) is required for all other scopes of accreditation as a prerequisite, and is not offered as a stand-alone scope.

The Personal Identity Verifier Testing scope (17PIV) offers accreditation for all conformance testing governed by the NPIVP.

The GSA FIPS 201 Testing scope (17GSA) offers accreditation for all GSA test methods, and requires 17PIV as a prerequisite.

The  Cryptographic Algorithm Validation Testing scope (17CAV) targets the CAVP and is a prerequisite for all other software and hardware CMVP-derived scopes of accreditation as the list above indicates.

When a scope of accreditation is chosen, all hierarchically lower scopes listed in the descendant path become mandatory.

The next figure gives a graphical representation of the building block prerequisites presented above. It also indicates the dependencies and the compounding rules for the available scopes of accreditation. For example, if the Cryptographic Modules – Software 2 (17CMS2) scope is elected, the Cryptographic Modules – Software 1 testing (17CMS1), Cryptographic Algorithm Validation testing (17CAV) and Cryptographic Security testing (17BCS) scopes become mandatory prerequisites.

Building block prerequisites for CST scopes of accreditation

Each scope of accreditation has at least one test method associated with it. If need raises, NVLAP reserves the right to update, modify or rename the set of test methods associated with any scope of accreditation. Please visit this web site for the latest updates.

Laboratories accreditation requirements are derived from the elected scope(s) of accreditation. NIST Handbook 150 and NIST Handbook 150-17 govern the general and specific technical requirements for accreditation under CST LAP. For more information on NIST Handbook 150-17 and the accreditation requirement for all existing scopes of accreditation, contact NVLAP.

For additional information on CMVP see: http://csrc.nist.gov/groups/STM/cmvp/index.html.

For additional information on CAVP see: http://csrc.nist.gov/groups/STM/cavp/index.html.

For additional information on NPIVP see: http://csrc.nist.gov/groups/SNS/piv/npivp/index.html.

For additional information on GSA FIPS 201 EP see http://fips201ep.cio.gov/.

For additional information on SCAP see http://nvd.nist.gov/.

For additional information on the CST LAP, contact NVLAP at (301) 975-4016 or send e-mail to NVLAP at: NVLAP@nist.gov.


Date created: October 9, 2007 
Last updated: July 9, 2008


Return to top of page NVLAP Home | Accredited Laboratories | Fields of Accreditation | Publications/Applications
Mutual Recognition Arrangements | Assessor Resources | Contact NVLAP Return to top of page

For questions concerning the National Voluntary Laboratory Accreditation Program, contact us at:

National Voluntary Laboratory Accreditation Program, Standards Services Division, NIST, 100 Bureau Drive, Stop 2140, Gaithersburg, MD 20899-2140
Phone: (301) 975-4016, Fax: (301) 926-2884, Email: nvlap@nist.gov

If you have any questions regarding this website, or notice any problems or inaccurate information, please contact the webmaster by sending e-mail to: TSWeb@nist.gov
NIST is an agency of the U.S. Department of Commerce.