Welcome to the Acumen Security Blog

Be careful of the “shall” statements

End of May, CMVP put out guidance (effective immediately) pertaining to implementation of health tests as defined in Section 11.3 of the SP 800-90A standard. Marc Ireland over at Infogard has done a good job of capturing the guidance here. Would recommend having a look at this if you do not know whether you implement the health tests or not.

However the reason for this blog post is to identify a common pitfall we have seen in the certification industry. FIPS 140-2 validation over the years has become exponentially more complicated (when I started in the industry there were all of three approved algorithms!) and as a result it is pretty easy to lose track of requirements if time and effort has not been put in to understand new standards, relevant special publications and perhaps most importantly implementation guidance. Any and all “shall” statements in these documents need to be taken seriously and it must be assumed they are mandated. CMVP might not quiz you on them right now but the hammer will fall one day and when that happens (as it happened with SP 800-90A health test ruling) correcting the issue will be painful, costly and WILL mean lost business. We frankly were surprised with this guidance since we have always assumed health tests to be mandatory and have been guiding our customers as such.

Apart from implementing the shall statements in relevant standards, the best way to avoid these issues is to perform a thorough gap analysis of your product up front. A good gap analysis will entail a deep dive of the products’ usage of cryptography and verify that all pertinent requirements have been met. The money spent up front in a good gap analysis is perhaps the best investment you can make to reduce cost and developer angst later in the process. Also, when in doubt ask your lab to check with CMVP and receive written buy-in/guidance. It is better to know upfront if the “creative” approach to meeting certain requirements will not be accepted.

Plan ahead, perform a thorough gap analysis and give yourself enough time to close the gaps identified, we guarantee that you will have a better overall certification experience!