Welcome to the Acumen Security Blog

Highlights from Day 1 of the CSTL Lab Manager Meeting with the CMVP

The first day was an eventful first day of the CSTL lab manager meeting with the CMVP! Below are some of the highlights:

First, the big news of the day was the position of Director of the CMVP is now open. Randy Easter who has been leading the program for several years now has changed positions and will now be concentrating on ISO related work. Apostol will take over as the acting Director of the CMVP until the position is permanently filled. Acumen would like to thank Randy for shepherding the program and growing to what it is today!

This is in addition to the recent reorganization within NIST,

  • Mike Cooper now has three verticals under him: Operations, Research and Tools. These verticals will be shared across all programs Mike is responsible for (CMVP, CAVP, SCAP, PIV).
  • The operations group will be responsible for report queues, report reviews and comment resolution. The group is to be led by Melanie Cook (who was responsible for SCAP program previously) and Beverly Trapnell and Jim Fox will report to Melanie.
  • The research group will be responsible for drafting and distributing requirements and IGs. Apostol Vassilev will be leading this group.
  • The tools group will be responsible for creating tools to streamline the processes. Gini Khalsa (who comes to NIST from FDA) will be leading this group.

There are several additional personnel related moves at the CMVP including,

  • Ken Lu will be retiring after 35 years. We wish him all the best in his next adventure
  • There are currently three open requisitions at the CMVP. One has a potential target identified. The other two are open.

It has been known for several months that NIST would be bringing on contractors to augment the current NIST staffing. These contractors would be paid out of the cost recovery fees collected by NIST for report reviews. NIST fleshed out how the contractors will be leveraged. Contractors will now be used for a variety of roles at the CMVP, including, report reviews. In fact, all reports will first be reviewed by a contractor with a second oversight review by a CMVP reviewer. Reviewers will start reviewing reports shortly.

The CMVP is considering a change to the way Implementation Guidance and the FIPS DTRs are presented. CMVP is considering making DTR an 800 series Special Publication and Implementation Guidance would be NIST IRs. Additionally, the IGs (as NIST IR) would have release cadence potentially being released every six months and go through a public review period. This is a big step for the CMVP which will help collaboration and openness.

On the FIPS 140-4 front, the consensus is that it will be based on ISO 19790. However, there will be at least one more round of public comment.  So, for the time being, FIPS 140-4 is not imminent. There will be a good deal of talk about it at the conference this week. So, expect updates.

The CAVP is updating the process for labs to submit algorithms testing results. The system will now be significantly more automated. This will free up NIST man hours and drastically reduce the turnaround time for submissions to NIST to be confirmed. The will now get confirmation in a matter of minutes rather than days.

There was a discussion around the potentially high impact of moving RNGs that are not part of SP 800-90 to the disallowed list. Basically, starting in January 2016 any service that uses keys generated with an ANSI X9.31 or FIPS 186-2 RNG will be considered a non-approved service. This applies both to new modules and previously validated modules i.e. THIS IS RETROACTIVE! This means that many modules (70+%) will no longer have any approved services.

There are long term discussions to establish an internationally recognized cryptographic validation program based on a series of ISO documents. These ISO documents will cover items such as, techniques for non-invasive attack testing, tester training, field deployment, entropy testing, and tool calibration. In totality, these documents are at least 3 years away from completion. So, this can be viewed as a long term goal.

The CAVP is planning on adding several new algorithm tests, including,

  • SP 800-56C
  • SP 800-132
  • SP 800-90B draft
  • SHA-3
  • SP 800-56A revision 2
  • SP 800-106,
  • SP 800-38A CT stealing, PT blocks CCM

During the question and answer period, the question of vendor affirmation of Diffie-Hellman was asked. There is a proposal to end vendor affirmation of Diffie-Hellman, however, no timetable has been set for ending affirmation.

And finally, on the more good news front, the CMVP queue is down from eight month to about three months. Congrats to the CMVP!!!

Speak Your Mind

*