Algorithm Testing & Automation: The Change from CAVS to ACVTS

The National Institute of Standards and Technology (NIST) has announced that the Cryptographic Module Validation Program (CMVP) and the Cryptographic Algorithm Validation Program (CAVP) will soon be transitioning to an automated process for algorithm testing.

NIST’s announcement states that use of the current Cryptographic Algorithm Validation System (CAVS) and issuance of algorithm validations from that system will end at midnight on 6/30/20. Replacing the manual process is the new and updated Automated Cryptographic Validation Test System (ACVTS).

ACVTS testing has begun but is not yet mandatory unless the implementation has an Approved algorithm that the ACVTS Prod server supports and that CAVS does not support, with two clarifications:

  1. If a CAVS submission would require special processing, e.g., a request from the vendor/lab that failing test results be ignored because the implementation under test does not support certain input parameter lengths, but the ACVTS handles the case natively, ACVTS must be used.
  2. If a FIPS 140-2 IG indicates that vendor affirmation is applicable for a particular Approved algorithm (and the IG transition end date has not passed), the vendor may choose either to test using ACVTS or vendor affirm.


  • CAVS testing will remain free until it is retired
  • ACVTS will be free up until the CAVS retirement date

Key Dates:

  • 1/20/20: CAVS submissions will only be accepted from a NVLAP-accredited CTS Lab that has obtained ACVTS credentials
  • 6/30/20: Last day to submit CAVS test results
  • 7/1/20: ACVTS is the only path for obtaining algorithm validations

About Algorithm Testing and FIPS 140-2

FIPS 140-2 is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2. Product vendors are required to complete validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components.

FIPS 140-2 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency. FIPS is mandated by law in the U.S. and very strictly enforced in Canada, it is also currently being reviewed by ISO to become an international standard. FIPS 140-2 is gaining worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. A FIPS 140-2 validation of a product provides end users with a high degree of product security, assurance, and dependability.

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe


Press Contact:

Jake Nelson
Corsec Director of Marketing