Welcome to the Acumen Security Blog

Archives for December 2016

Happy New Year!

Another year gone by, and what a year it was on so many fronts! This was the year that challenged us to scale effectively and am heartened to see how the team responded. We went from a handful of customers in 2015 to a full book in 2016. Scaling to a greater customer diversity while maintaining or exceeding level of service is always tough, but Team Acumen was up to the challenge. This was evidenced by the all round positive feedback we have received from our customers and quantified by the high marks received in the FIPS survey. Along the way we had some key team additions as well as diversification into other services such as support for FedRAMP audits.

 
April 2017 Acumen will be three years old and I guess that is when we stop being a startup? If 2016 was exciting, 2017 is going to be down right amazing. Few items already lined up are move to a new larger office space, revamping our website, a project management and customer interaction portal, validating the next version of openSSL and lot more! What will remain unchanged will be our ethos to keep simplifying certification and driving value for the investment our customers make in certifying their products.

 
Happy New Year! Welcome 2017!

Big News: Upcoming CMVP MIP/IUT policy changes effective 2017 & 2018

This morning, CMVP informed the CSTL labs about couple of major policy changes that impact modules listed on Module In Process (MIP) and Implementation Under Test (IUT) lists.

Change #1:

Effective July 1, 2017:

1. the CMVP will automatically drop modules in IUT after 18 months.

2. the amount of time for the labs to respond to CMVP comments will be reduced from 120 days to 90 days. After 90 days, the module will be placed on hold and removed from the MIP list.

The big change here is that modules cannot remain on IUT for more than 18 months. Prior to this change there was no time limit. Achieving IUT status is an important milestone for product vendors since it shows a serious commitment to FIPS validation. With a time limit now in place, it will be important to plan and ensure that all validation activities upto report submission is completed within 18 months of IUT. The good news is that 18 months is long enough time and this shouldn’t be an issue to most product vendors.

Note that this change is effective July 1 and will apply to all modules currently listed in IUT as well as new submissions. While this is not apparent in the CMVP notice, we confirmed with CMVP that this is the case. If you have products on the IUT list that will be 18 months or more please ensure contingency steps are taken.

Change #2:

Effective January 1, 2018:

  1.     the CMVP will drop modules that have not been validated within 2 years of submission or IUTB, whichever occurred first. When the module is dropped, the vendor and lab will have to restart the validation process by sending an updated submission and paying a new cost recovery fee at the current rate.

This shouldn’t be a big problem for most product vendors. In our experience once report is submitted, a certificate is issued within 3-5 months. 2 years seems extremely generous.

Please let us know if you have any questions.