Welcome to the Acumen Security Blog

Big News: Upcoming CMVP MIP/IUT policy changes effective 2017 & 2018

This morning, CMVP informed the CSTL labs about couple of major policy changes that impact modules listed on Module In Process (MIP) and Implementation Under Test (IUT) lists.

Change #1:

Effective July 1, 2017:

1. the CMVP will automatically drop modules in IUT after 18 months.

2. the amount of time for the labs to respond to CMVP comments will be reduced from 120 days to 90 days. After 90 days, the module will be placed on hold and removed from the MIP list.

The big change here is that modules cannot remain on IUT for more than 18 months. Prior to this change there was no time limit. Achieving IUT status is an important milestone for product vendors since it shows a serious commitment to FIPS validation. With a time limit now in place, it will be important to plan and ensure that all validation activities upto report submission is completed within 18 months of IUT. The good news is that 18 months is long enough time and this shouldn’t be an issue to most product vendors.

Note that this change is effective July 1 and will apply to all modules currently listed in IUT as well as new submissions. While this is not apparent in the CMVP notice, we confirmed with CMVP that this is the case. If you have products on the IUT list that will be 18 months or more please ensure contingency steps are taken.

Change #2:

Effective January 1, 2018:

  1.     the CMVP will drop modules that have not been validated within 2 years of submission or IUTB, whichever occurred first. When the module is dropped, the vendor and lab will have to restart the validation process by sending an updated submission and paying a new cost recovery fee at the current rate.

This shouldn’t be a big problem for most product vendors. In our experience once report is submitted, a certificate is issued within 3-5 months. 2 years seems extremely generous.

Please let us know if you have any questions.

A New EP For Voice And Video Over IP

For the past couple of years the Protection Profile for Voice Over IP Applications (VOIP_PP) has been available for vendors who want to get a VoIP client Common Criteria certified. In March of 2017 this PP will reach its sunset date. Its place will be taken by the newly developed Extended Package for Voice and Video over IP (VOIP_EP). This EP, which was released in September of this year, will extend either the Application Protection Profile (APP_PP) or the collaborative Network Device Protection Profile (NDcPP).

One of the most significant differences between the old VOIP_PP and the new VOIP_EP is the types of TOEs it is meant to cover. The VOIP_PP was meant for software applications running on a host platform, typically one certified against an Operating System or Mobile Device PP. VOIP_PP TOEs were required to use SDES-SRTP for protected voice communications and SIP over TLS for call control.  By extending either the APP_PP or the NDcPP the VOIP_EP can be used for both software applications or dedicated network appliances. The VOIP_EP is now also clearly meant to cover TOEs that offer video capabilities, while the old VOIP_PP only covered voice data.

One unusual limitation that was noted in the “Use Cases” section of the EP was that a Software Application TOE should be running on a general purpose computer with an operating system that is conformant to the General Purpose Operating System Protection Profile. This statement would appear to exclude mobile applications that run on Mobile Device PP certified platforms. While we believe this was an oversight in the VOIP_EP, vendors who are planning on certifying mobile applications should confirm with NIAP that that a Mobile Device PP certified platform is acceptable.

The most notable difference in requirements between the VOIP_PP and the VOIP_EP is the addition of audit requirements to the EP. Any VOIP_EP TOE that extends the NDcPP would have to meet NDcPP audit requirements, but VVOIP audit requirements have also been added in that apply to both NDcPP and APP_PP based TOEs. This is important to remember since most CC evaluations of mobile applications do not include any SFRs that cover audit. Since the EP only contains FAU_GEN.1 this also means that APP_PP based TOEs will have a requirement to generate audit records but without the usual corresponding requirements for audit data protection or storage. There is an optional Audit Event Storage SFR for TOEs that claim APP_PP conformance. Interestingly the language in that optional SFR says that it shall be included for APP_PP evaluations, which makes it sound like a selection-based SFR rather than an optional one. This is something that should be clarified by NIAP before a TOE enters evaluation under this EP.

Another significant change in the VOIP_EP is the addition of a requirement that the TOE use a constant bit rate voice vocoder. This is meant to avoid potential vulnerabilities than can result when you encrypt the output of a variable rate vocoder. There is also a new requirement that the TOE close all ports that are not in active use.

A new option that has been made available to developers in the VOIP_EP is the option to use H.323 rather than SIP for communication with an Enterprise Session Controller. H.323/H.235 is now also an acceptable alternative to SRTP for protecting communications with another VVOIP endpoint. This was presumably included because of the EP’s coverage of both voice and video clients.

The release of the VOIP_EP is another step in NIAP’s attempt to move to more modular Protection Profiles. By extending two very common PPs it should make Common Criteria certification possible for a wide variety of voice and video over IP products. Everything from a standalone phone to a desktop software application can now be evaluated, giving vendors and clients more options for CC-compliant voice and video clients.