Last week in Toronto, Canada, ICMC 2025 brought together experts from government, industry, and academia to explore the evolving landscape of designing, building, testing, and validating cryptographic modules. Over 300 IT professionals attended, engaging with more than 80 presentations and panels across eight thematic tracks: Certification Programs, Post-Quantum Cryptography (PQC), PQC Preparedness, Open-Source Cryptography, Embedded/IoT Cryptography, Random Bit Generators/Entropy, Implementing Cryptographic Cybersecurity, and Cryptographic Technology.
While each track catered to its own niche audience, sessions related to FIPS certification stood out as key highlights. The presence of CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program) leaders and staff from both the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) underscored the joint commitment of both nations in shaping the future of cryptographic assurance. Given how insightful the conference was, weād like to recap four critical sessions that signal where the Cryptographic Module Validation Program (CMVP) is heading: three forward-looking presentations and one dynamic panel discussion. To round things out, weāll look at the conferenceās lively closing session, where community spirit took center stage.
P11a – CMVP Program Update
For the first time, the CMVP Program Update opened as a plenary sessionāremoving the painful dilemma of choosing between three parallel tracks, and rightly so. Delivered by David Hawes, Kailai Chen, and Alex Calis, the update reaffirmed CMVPās commitment to agility, transparency, and collaboration.
A major focus was the shift to FIPS 140-3 Br1, designed to streamline workflows and tackle the long-standing validation backlog. With over 147 interim validations processed since June 2024 and work on automated revalidations gaining traction, the program is demonstrating real momentum.
The update also touched on the implementation of PQC standards (FIPS 203ā205), with supporting tooling and guidance already available. Updates to the Implementation Guidance (IG), enhancements to the Request for Guidance (RFG) process, and the introduction of the Review Checklist Tool all reflected CMVPās drive for consistency and process efficiency.
The message was clear: the CMVP is modernizing. Itās embracing a continuous improvement philosophy, recognizing that understanding matures over time, and decisions must evolve with that understanding. As an example, the CMVP has recently begun asking labs and vendors to revise the usage of the āModule Descriptionā field on FIPS certificates. Historically, vendors had some freedom to include non-tested platforms or broader product descriptions; now, this field is being refocused to provide module specific information. Vendors should now use their own web pages, product literature, or even add a paragraph in the moduleās Security Policy (SP) to promote their offeringsāprovided the messaging is accurate and caveated appropriately.
Another major change is that citing precedents is no longer considered a valid justification for non-compliance with updated expectations. To accommodate changes like this, testing labs must act as a bridge between the CMVP and vendors, helping educate the community and align everyone on shared prioritiesālike reducing validation queues and expanding automation. The CMVP also recognized the critical role the Cryptographic Module User Forum (CMUF) plays in shaping the future of validation, encouraging continued collaboration. With updates on the horizon, the CMUF is the perfect place to discuss implementation strategies, potential tweaks, and future additions.
C12a – Mind the Gap: Navigating 19790:2025
To address the newly published ISO/IEC 19790:2025, Carolyn Frenchās session dove into the nuances and āgray areasā of the update that require further interpretation. The latest revision introduces powerful new conceptsāsuch as secure containers, protected passwords, device attestation, and localized error statesābut also leaves room for guidance and flexibility.
Throughout her presentation, French highlighted:
- The balance between international standardization and technical specificity.
- Areas that will require Implementation Guidance from CMVP.
- Community-driven mechanisms, like CMUF working groups, that shape guidance as technologies and use cases evolve.
Her talk made it clear: 19790:2025 is not a finish line, but a launchpad; the success of this standard lies not only in its publication but in how collaboratively and completely it is adopted.
C13c – Integration of ACMVP with CMVP
In a forward-facing session, Chris Celi (ACMVP Lead) and David Hawes (NIST CMVP Manager) outlined the integration of the Automated Cryptographic Module Validation Project (ACMVP) into existing CMVP infrastructure.
They discussed how the ACMVP will benefit the validation program by:
- Extending the success of ACVTS and ESV to provide an API for FIPS report submissions.
- Adopting structured JSON payloads, enabling precise, rule-based validation.
- Introducing automated pre-review feedback mechanisms and Test Evidence (TE) filters, which give labs immediate clarity before human review.
This session also captured the spirit of modernization driving CMVP, much like the CMVP Program Update. The ultimate goal for the ACMVP is an 18-month integration window post-September 2025, laying the groundwork for a new validation paradigm built on speed, clarity, and consistency.
C13a – ACMVP Project Update Panel
Led by Courtney Maatta (AWS), the panel session NCCoE Automated Cryptographic Module Validation Project (ACMVP) featured a robust discussion with panelists Chris Celi (NIST), Yi Mao (atsec), Stephan Mueller (atsec), Barry Fussell (Cisco), and Raoul Gabiam (MITRE). Together, they offered insights into the ACMVP’s mission to modernize CMVP operations through structured automation.
Each panelist reflected on their respective contributions, with a shared focus on how automation can alleviate the bottlenecks and inconsistencies currently affecting validation. Over the course of these reflections, some key accomplishments discussed were:
- A structured JSON-based framework for Test Evidence (TE), enabling interoperability and consistency across submissions.
- Tools for automated filtering and TE classification, intelligently tailoring validation requirements to the characteristics of each module.
- The design and implementation of an automated review checklist, aimed at significantly reducing turnaround time for validations by catching issues before reaching human reviewers.
Two demos were also highlighted:
- An Automated Checklist Demo, showcasing the systemās ability to flag and validate TE submission discrepancies.
- A TE Filtering and Evidence Submission Demo, showing how modules with different properties dynamically trigger specific evidence requirements, while supporting flexible evidence payloads.
With project completion slated for September 2025, the team encouraged labs and vendors to follow its progress and contribute via the ACMVP website and GitHub.
A High Note to Close: FIPS Fun with the CMUF
This yearās closing plenary session, FIPS Fun with the CMUF: Honoring History, Inspiring Tomorrow, was nothing short of spectacularāand certainly one of the most memorable finishes in ICMC history!
Hosted by Trish Wolff (Cisco), Fiona Stewart (Assurgo), and Renaudt Nunez (atsec), the session brought a perfect blend of humor, history, and heart. The trio took the stage in matching red āDo You CMUF?ā T-shirts and immediately energized the crowd by launching a live Slido trivia game.
The questions spanned everything from ICMC and CMUF history to cryptographic algorithm specs, Implementation Guidance quirks, Management Manual oddities, and even the unofficial drink of the conference. Laughter and applause echoed through the room as correct answers were revealed, and Fiona added delightful commentary, including stories about the first ICMC keynote speaker, Dr. Bertrand du Castel, and his famous flamingo metaphor (more here).
The trivia showdown culminated in a high-speed final round featuring the top three scorers from the audience. Congratulations to Mike Powers (Apple) for clinching the win, with Bobby Russ (Leidos) and Amir Shahhosseini (Palo Alto Networks) close behind. Prizes were generously provided by atsec, reinforcing the lighthearted community vibe that defines ICMC.
One attendee remarked, āI always look forward to atsecās opening video clip. From now on, Iāll also look forward to the closing game.ā
Wrapping up the closing plenary session, Renaudt provided a final message to attendees. With the transition to FIPS 140-3, there have been many delays, leading vendors to wonder when the program will catch up with the modules being produced, and he thought it would be helpful to look to other messages to foster a sense of responsibility in every individual.
With that in mind, Renaudt recalled the Smokey the Bear Wildfire Prevention campaign, the longest-running public service advertising campaign in the U.S. Beginning in 1944 to spread wildfire prevention awareness, its catchphrase, āRememberā¦Only YOU can prevent forest fires,ā was used to serve as a call to action for all Americans to do their part in preventing forest fires. Likewise, he stressed that we in the cryptographic module validation community need to do OUR part to prevent Crypto Fires. The CMUF was founded with the purpose of creating a community to advance the security posture of the US and Canadian governments and grew to support vendors worldwide by providing a central location to host discussions and educate the community. As everyone prepared to head home, Renaudt wanted every attendee to reflect on that sense of community and leave the conference with a desire to do THEIR part.
Looking Ahead
As always, it was a pleasure to see members from all corners of the cryptographic world come together. The learning, networking, and collaboration that happen at the ICMC are unmatched, and this yearās event felt especially impactful.
Weāre already looking forward to hosting a future ICMC in Austināthe birthplace of the conferenceāwhere the community spirit that started it all can come full circle.
