Last week in Toronto, Canada, ICMC 2025 brought together experts from government, industry, and academia to explore the evolving landscape of designing, building, testing, and validating cryptographic modules. Over 300 IT professionals attended, engaging with more than 80 presentations and panels across eight thematic tracks: Certification Programs, Post-Quantum Cryptography (PQC), PQC Preparedness, Open-Source Cryptography, Embedded/IoT Cryptography, Random Bit Generators/Entropy, Implementing Cryptographic Cybersecurity, and Cryptographic Technology.

While each track catered to its own niche 
audience, sessions related to FIPS certification 
stood out as key highlights. The presence of 
CMVP (Cryptographic Module Validation 
Program) and CAVP (Cryptographic Algorithm 
Validation Program) leaders and staff from 
both the U.S. National Institute of Standards 
and Technology (NIST) and the Canadian 
Centre for Cyber Security (CCCS) underscored 
the joint commitment of both nations in 
shaping the future of cryptographic assurance. 
Given how insightful the conference was, we’d 
like to recap four critical sessions that signal 
where the Cryptographic Module Validation 
Program (CMVP) is heading: three forward-
looking presentations and one dynamic panel 
discussion. To round things out, we’ll look at 
the conference’s lively closing session, where 
community spirit took center stage.
P11a – CMVP Program Update
For the first time, the CMVP Program Update opened as a plenary session—removing the painful dilemma of choosing between three parallel tracks, and rightly so. Delivered by David Hawes, Kailai Chen, and Alex Calis, the update reaffirmed CMVP’s commitment to agility, transparency, and collaboration.
A major focus was the shift to FIPS 140-3 Br1, designed to streamline workflows and tackle the long-standing validation backlog. With over 147 interim validations processed since June 2024 and work on automated revalidations gaining traction, the program is demonstrating real momentum.
The update also touched on the implementation of PQC standards (FIPS 203–205), with supporting tooling and guidance already available. Updates to the Implementation Guidance (IG), enhancements to the Request for Guidance (RFG) process, and the introduction of the Review Checklist Tool all reflected CMVP’s drive for consistency and process efficiency.
The message was clear: the CMVP is modernizing. It’s embracing a continuous improvement philosophy, recognizing that understanding matures over time, and decisions must evolve with that understanding. As an example, the CMVP has recently begun asking labs and vendors to revise the usage of the “Module Description” field on FIPS certificates. Historically, vendors had some freedom to include non-tested platforms or broader product descriptions; now, this field is being refocused to provide module specific information. Vendors should now use their own web pages, product literature, or even add a paragraph in the module’s Security Policy (SP) to promote their offerings—provided the messaging is accurate and caveated appropriately.
Another major change is that citing precedents is no longer considered a valid justification for non-compliance with updated expectations. To accommodate changes like this, testing labs must act as a bridge between the CMVP and vendors, helping educate the community and align everyone on shared priorities—like reducing validation queues and expanding automation. The CMVP also recognized the critical role the Cryptographic Module User Forum (CMUF) plays in shaping the future of validation, encouraging continued collaboration. With updates on the horizon, the CMUF is the perfect place to discuss implementation strategies, potential tweaks, and future additions.
C12a – Mind the Gap: Navigating 19790:2025
To address the newly published ISO/IEC 19790:2025, Carolyn French’s session dove into the nuances and “gray areas” of the update that require further interpretation. The latest revision introduces powerful new concepts—such as secure containers, protected passwords, device attestation, and localized error states—but also leaves room for guidance and flexibility.
Throughout her presentation, French highlighted:
- The balance between international standardization and technical specificity.
- Areas that will require Implementation Guidance from CMVP.
- Community-driven mechanisms, like CMUF working groups, that shape guidance as technologies and use cases evolve.
Her talk made it clear: 19790:2025 is not a finish line, but a launchpad; the success of this standard lies not only in its publication but in how collaboratively and completely it is adopted.
C13c – Integration of ACMVP with CMVP
In a forward-facing session, Chris Celi (ACMVP Lead) and David Hawes (NIST CMVP Manager) outlined the integration of the Automated Cryptographic Module Validation Project (ACMVP) into existing CMVP infrastructure.
They discussed how the ACMVP will benefit the validation program by:
- Extending the success of ACVTS and ESV to provide an API for FIPS report submissions.
- Adopting structured JSON payloads, enabling precise, rule-based validation.
- Introducing automated pre-review feedback mechanisms and Test Evidence (TE) filters,which give labs immediate clarity before human review.
This session also captured the spirit of modernization driving CMVP, much like the CMVP Program Update. The ultimate goal for the ACMVP is an 18-month integration window post-September 2025, laying the groundwork for a new validation paradigm built on speed, clarity, and consistency.
C13a – ACMVP Project Update Panel
Led by Courtney Maatta (AWS), the panel session NCCoE Automated Cryptographic Module Validation Project (ACMVP) featured a robust discussion with panelists Chris Celi (NIST), Yi Mao (atsec), Stephan Mueller (atsec), Barry Fussell (Cisco), and Raoul Gabiam (MITRE). Together, they offered insights into the ACMVP’s mission to modernize CMVP operations through structured automation.

Each panelist reflected on their respective contributions, with a shared focus on how automation can alleviate the bottlenecks and inconsistencies currently affecting validation. Over the course of these reflections, some key accomplishments discussed were:
- A structured JSON-based framework for Test Evidence (TE), enabling interoperability and consistency across submissions.
- Tools for automated filtering and TE classification, intelligently tailoring validation requirements to the characteristics of each module.
- The design and implementation of an automated review checklist, aimed at significantly reducing turnaround time for validations by catching issues before reaching human reviewers.
Two demos were also highlighted:
- An Automated Checklist Demo, showcasing the system’s ability to flag and validate TE submission discrepancies.
- A TE Filtering and Evidence Submission Demo, showing how modules with different properties dynamically trigger specific evidence requirements, while supporting flexible evidence payloads.

With project completion slated for September 2025, the team encouraged labs and vendors to follow its progress and contribute via the ACMVP website and GitHub.
A High Note to Close: FIPS Fun with the CMUF
This year’s closing plenary session, FIPS Fun with the CMUF: Honoring History, Inspiring Tomorrow, was nothing short of spectacular—and certainly one of the most memorable finishes in ICMC history!
Hosted by Trish Wolff (Cisco), Fiona Stewart (Assurgo), and Renaudt Nunez (atsec), the session brought a perfect blend of humor, history, and heart. The trio took the stage in matching red “Do You CMUF?” T-shirts and immediately energized the crowd by launching a live Slido trivia game.

The questions spanned everything from ICMC and CMUF history to cryptographic algorithm specs, Implementation Guidance quirks, Management Manual oddities, and even the unofficial drink of the conference. Laughter and applause echoed through the room as correct answers were revealed, and Fiona added delightful commentary, including stories about the first ICMC keynote speaker, Dr. Bertrand du Castel, and his famous flamingo metaphor (more here).
The trivia showdown culminated in a high-speed final round featuring the top three scorers from the audience. Congratulations to Mike Powers (Apple) for clinching the win, with Bobby Russ (Leidos) and Amir Shahhosseini (Palo Alto Networks) close behind. Prizes were generously provided by atsec, reinforcing the lighthearted community vibe that defines ICMC.

One attendee remarked, “I always look forward to atsec’s opening video clip. From now on, I’ll also look forward to the closing game.”

Wrapping up the closing plenary session, Renaudt provided a final message to attendees. With the transition to FIPS 140-3, there have been many delays, leading vendors to wonder when the program will catch up with the modules being produced, and he thought it would be helpful to look to other messages to foster a sense of responsibility in every individual.
With that in mind, Renaudt recalled the Smokey the Bear Wildfire Prevention campaign, the longest-running public service advertising campaign in the U.S. Beginning in 1944 to spread wildfire prevention awareness, its catchphrase, “Remember…Only YOU can prevent forest fires,” was used to serve as a call to action for all Americans to do their part in preventing forest fires. Likewise, he stressed that we in the cryptographic module validation community need to do OUR part to prevent Crypto Fires. The CMUF was founded with the purpose of creating a community to advance the security posture of the US and Canadian governments and grew to support vendors worldwide by providing a central location to host discussions and educate the community. As everyone prepared to head home, Renaudt wanted every attendee to reflect on that sense of community and leave the conference with a desire to do THEIR part.
Looking Ahead
As always, it was a pleasure to see members from all corners of the cryptographic world come together. The learning, networking, and collaboration that happen at the ICMC are unmatched, and this year’s event felt especially impactful.
We’re already looking forward to hosting a future ICMC in Austin—the birthplace of the conference—where the community spirit that started it all can come full circle.





