Welcome to the Acumen Security Blog

Big News: Upcoming CMVP MIP/IUT policy changes effective 2017 & 2018

This morning, CMVP informed the CSTL labs about couple of major policy changes that impact modules listed on Module In Process (MIP) and Implementation Under Test (IUT) lists.

Change #1:

Effective July 1, 2017:

1. the CMVP will automatically drop modules in IUT after 18 months.

2. the amount of time for the labs to respond to CMVP comments will be reduced from 120 days to 90 days. After 90 days, the module will be placed on hold and removed from the MIP list.

The big change here is that modules cannot remain on IUT for more than 18 months. Prior to this change there was no time limit. Achieving IUT status is an important milestone for product vendors since it shows a serious commitment to FIPS validation. With a time limit now in place, it will be important to plan and ensure that all validation activities upto report submission is completed within 18 months of IUT. The good news is that 18 months is long enough time and this shouldn’t be an issue to most product vendors.

Note that this change is effective July 1 and will apply to all modules currently listed in IUT as well as new submissions. While this is not apparent in the CMVP notice, we confirmed with CMVP that this is the case. If you have products on the IUT list that will be 18 months or more please ensure contingency steps are taken.

Change #2:

Effective January 1, 2018:

  1.     the CMVP will drop modules that have not been validated within 2 years of submission or IUTB, whichever occurred first. When the module is dropped, the vendor and lab will have to restart the validation process by sending an updated submission and paying a new cost recovery fee at the current rate.

This shouldn’t be a big problem for most product vendors. In our experience once report is submitted, a certificate is issued within 3-5 months. 2 years seems extremely generous.

Please let us know if you have any questions.

Speak Your Mind