We’ve often focused on security and maintenance from the perspective of technology itself–specifically, how it is deployed and used by individuals in the real world. But, the truth is that assessments of security technologies don’t start when an enterprise deploys them. Rather, in cases of tech like cryptography modules and biometrics, it begins in the lab that creates them. And that’s where the National Voluntary Laboratory Accreditation Program comes in. 

This article discusses NVLAP and its vital function in enhancing the credibility of laboratories involved in testing and calibration. This includes using third-party assessment and rigorous standards to govern how labs protect and assure the products they produce.

Who is the National Voluntary Laboratory Accreditation Program?

The U.S. government established the National Voluntary Laboratory Accreditation Program (NVLAP) in 1976 to respond to a growing need for consistent and reliable testing and calibration services. Here’s a brief history highlighting its development and role:

NVLAP was established under the National Bureau of Standards (now the National Institute for Standards and Technology) to ensure the quality and reliability of testing and calibration services across various technologies and industries.

As the years passed, NVLAP expanded its scope to include more areas of accreditation. As technology advanced and new industries emerged, NVLAP continuously updated and broadened its accreditation criteria to address these evolving needs. 

NVLAP’s role became increasingly important in information technology and cybersecurity. It started accrediting laboratories for cybersecurity testing, including cryptographic module testing under the Cryptographic Module Validation Program (CMVP).

NVLAP has also played a significant role in aligning U.S. and international standards. This helped U.S. laboratories and businesses to compete effectively in the global market.

NVLAP in the Context of Cybersecurity

NVLAP plays a significant role in ensuring that testing laboratories meet high-quality assurance and technical expertise standards. In many cases, these standards are a bare minimum that these products must meet to be used in enterprise or government applications–and these standards must be rigorously maintained.

Here are some critical aspects of how NVLAP relates to cybersecurity:

• Cybersecurity Testing and Certification: NVLAP assesses laboratories that perform testing and certification in various aspects of cybersecurity. This includes testing cryptographic modules, cybersecurity products, and systems against established standards.
• Cryptographic Module Validation Program: One prominent area where NVLAP is involved in cybersecurity is through the CMVP, jointly managed by NIST and the Communications Security Establishment (CSE) of Canada. Laboratories accredited by NVLAP under this program test cryptographic modules to ensure they comply with the Federal Information Processing Standards (FIPS) 140 series, which are standards for security requirements for cryptographic modules.
• Accreditation for Cryptographic and Security Testing: NVLAP provides CST lab accreditation, which involves evaluating the capabilities of laboratories to test software and hardware products that contain cryptographic modules, ensuring they meet specific security standards. These standards are crucial for products used in sensitive government and military applications and in various industries where data security is paramount.
• Conformance to Standards: NVLAP ensures that laboratories conform to international and national standards for cybersecurity testing. These include methodologies, protocols, and best practices for conducting such tests.
• Confidence in Cybersecurity Measures: For organizations and individuals relying on cryptographic products and services, NVLAP accreditation offers confidence. Knowing that a product has been tested and certified by an NVLAP-accredited laboratory means it meets stringent security standards.
• Global Recognition: NVLAP-accredited labs are often recognized globally, enhancing the credibility of cybersecurity products internationally and facilitating their acceptance in global markets.
• Continuous Improvement and Compliance: Labs accredited by NVLAP must continually improve their processes and stay up-to-date with evolving cybersecurity standards and threats. This ensures ongoing compliance and relevance in a rapidly changing cyber landscape.

What Is NVLAP Accreditation?

Accreditation under NVLAP is an important step in assuring the world, specifically purchasers and users of specific technologies, that lab standards are of the highest caliber. In many cases, NVLAP accreditation is one of the only ways certain technologies, like cryptographic modules, can be used in certain applications. 

Accreditation under the NVLAP is also a mark of recognition that a laboratory has met specific technical competence and quality management standards. Here’s what it means for a laboratory to be NVLAP-accredited:

• Technical Competence: NVLAP accreditation signifies that a laboratory has demonstrated its technical capability to perform specific tests, calibrations, or measurements. This involves not just the equipment and methodologies used but also the qualifications and expertise of the staff.
• Quality Management System: The laboratory must have a robust quality management system conforming to the principles outlined in international standards like ISO/IEC 17025. This system ensures consistent, reliable, and accurate results.
• Regular Assessments and Surveillance: NVLAP conducts regular assessments, including on-site evaluations, to ensure ongoing compliance with its standards. These assessments also help identify areas for improvement.
• Adherence to Standards and Protocols: Accreditation requires the laboratory to adhere to specific testing or calibration standards, methods, and protocols. These are often internationally recognized, ensuring the lab’s results are accepted nationally and internationally.
• International Recognition: NVLAP is a signatory to mutual recognition arrangements (MRAs), which means that data from NVLAP-accredited labs are recognized in other countries. This is crucial for laboratories that provide services for international trade.
• Commitment to Continuous Improvement: Accredited laboratories must continuously monitor and improve their processes and performance. This commitment to excellence ensures they keep pace with technological and methodological advancements.
• Market Advantage: For many industries, especially where safety, compliance, and quality are critical, using an NVLAP-accredited laboratory is often a requirement. This accreditation gives a competitive advantage to laboratories in the market.
• Consumer and Stakeholder Confidence: NVLAP accreditation instills confidence in consumers, regulatory authorities, and other stakeholders that the testing, calibration, or measurement services are reliable and meet the highest quality standards.

How Does My Lab Become NVLAP-Accredited?

Becoming accredited under NVLAP is a multi-step process that thoroughly assesses the laboratory’s technical capabilities and quality management systems. Much like a compliance assessment, VLAP accreditation includes experts documenting and monitoring lab activity and practices to ensure they are implemented well and consistently. 

Here’s an overview of the steps an organization typically follows to achieve NVLAP accreditation:

• Understand the Requirements: The first step is for the organization to understand the specific requirements for accreditation in their area of expertise. This involves familiarizing themselves with the relevant NVLAP lab codes and the criteria outlined in standards such as ISO/IEC 17025.
• Application Submission: The organization must complete and apply NVLAP, providing detailed information about their laboratory, including its scope of testing or calibration services, personnel, equipment, and quality management system.
• Documentation Review: NVLAP reviews the submitted documents to assess the laboratory’s policies, procedures, and quality management system. This review ensures the lab’s practices align with NVLAP’s standards and requirements.
• On-Site Assessment: If the documentation review is successful, NVLAP arranges an on-site assessment. During this visit, assessors evaluate the laboratory’s technical competence, staff qualifications, equipment calibration, testing or calibration methods, and overall adherence to the quality management system.
• Assessment Report and Corrective Actions: The assessors provide a report detailing their findings after the on-site assessment. If there are any non-conformities or areas for improvement, the laboratory must address these through corrective actions.
• Accreditation Decision: Once the laboratory has satisfactorily addressed all non-conformities, NVLAP reviews the entire assessment process and decides on accreditation.
• Accreditation Granted: If the decision is favorable, the laboratory is granted accreditation for a specific scope detailed in the accreditation certificate. This scope specifies the exact tests, calibrations, or measurements the lab is accredited to perform.
• Maintenance and Surveillance: Accreditation is not a one-time event but an ongoing process. Laboratories are required to undergo regular surveillance assessments and re-assessment at specified intervals to maintain their NVLAP accreditation. This ensures continued compliance with NVLAP standards and allows for the expansion or modification of the scope of accreditation as needed.

Throughout the process, laboratories must demonstrate technical proficiency and accuracy in their testing or calibration services and a commitment to maintaining a quality management system that meets NVLAP’s stringent criteria. This process aims to ensure that accredited labs consistently produce reliable and accurate results, thereby instilling confidence in their services among clients and stakeholders.

Contact Lazarus Alliance to Help Manage Your Cybersecurity

Seeking compliance with ISO, NIST, or Common Criteria standards? Lazarus Alliance has decades of experience working with industry and regulatory standards worldwide. Contact us today.