Welcome to the Acumen Security Blog

CMUF update from the CMVP

Hi Everyone,

Some important updates the recent Cryptographic Module User Forum (CMUF) Meeting for March 2017. The joint CMVP leads Jennifer Cawthra (NIST) and Carolyn French (CSE) shared some important updates to the Implementation Under Test (IUT) and Modules In Process Listing (MIP) processes. They also discussed the recent move of modules to the Historical listing website and shared a new definition for a 2SUB. Please find details on each of these topics below:

IUTB and the MIP list:

  • The module review process begins once NIST confirm the Cost Recovery fee for the submission has been paid. To expedite this process labs can request an invoice from NIST before a module report is submitted.
  • If >90 days after IUTB the report has not been submitted – NIST will remove it from the IUT listing.
    When NIST receive the module report and see the invoice is paid module will return to its place in the queue and is added to the MIP list.

As of July 1st, 2017:

  • Stagnant modules in IUT will be dropped after 18 months on the list.
  • CMVP comments have been sent to the lab + 90 days without a response. Module put On Hold and removed from MIP list. Once comments are received module goes back on MIP list and returns to its place on queue.

As of January 1st, 2018:

  • All certifications must be completed within 2 years of report submission or IUTB request, whichever occurred first
  • At 2-year submission anniversary, module will be dropped from MIP list.
  • Vendor and lab will need to re-start the validation process from the beginning including paying a new NIST Cost Recovery Fee
  • This policy will be affect all new submissions and submissions in the queue as of 01/01/2018
  • Labs have been (and will be) notified of modules that will be dropped as of 01/01/2018

CMVP Historical Listing:

  • As of February 1st, 2017, modules validated to FIPS 140-1 and modules validated over 5 years ago have been moved to the Historical Listing.
  • 575 certificates were moved to the Historical Listing
  • These modules are not to be used for procurement by Federal Agencies.
  • If these modules are already being used, Federal Agencies makes a risk-based decision on whether to continue using them or to replace them.
  • 1SUBs where the module is unchanged will not move a module from the historical list back to the active validation list
  • 3SUBs will be accepted for up to 2 years after the modules sunset date. The resulting new certificate will appear on the active validation list.

New 2SUB definition

  • As of May 2017, IG G.8 will be updated to have a new definition for a 2SUB. It will be for extending the module’s certificate sunset date.
  • Module must meet all the latest standards/FIPS requirements/IGs and CAVP testing requirements at the time of 2SUB submission.
  • Only available to modules on the active validation list.
  • IG G.8 sent to public for comments – comments due April 14th, 2017. Ping Acumen if you would like the draft IG for review.

Big News: Upcoming CMVP MIP/IUT policy changes effective 2017 & 2018

This morning, CMVP informed the CSTL labs about couple of major policy changes that impact modules listed on Module In Process (MIP) and Implementation Under Test (IUT) lists.

Change #1:

Effective July 1, 2017:

1. the CMVP will automatically drop modules in IUT after 18 months.

2. the amount of time for the labs to respond to CMVP comments will be reduced from 120 days to 90 days. After 90 days, the module will be placed on hold and removed from the MIP list.

The big change here is that modules cannot remain on IUT for more than 18 months. Prior to this change there was no time limit. Achieving IUT status is an important milestone for product vendors since it shows a serious commitment to FIPS validation. With a time limit now in place, it will be important to plan and ensure that all validation activities upto report submission is completed within 18 months of IUT. The good news is that 18 months is long enough time and this shouldn’t be an issue to most product vendors.

Note that this change is effective July 1 and will apply to all modules currently listed in IUT as well as new submissions. While this is not apparent in the CMVP notice, we confirmed with CMVP that this is the case. If you have products on the IUT list that will be 18 months or more please ensure contingency steps are taken.

Change #2:

Effective January 1, 2018:

  1.     the CMVP will drop modules that have not been validated within 2 years of submission or IUTB, whichever occurred first. When the module is dropped, the vendor and lab will have to restart the validation process by sending an updated submission and paying a new cost recovery fee at the current rate.

This shouldn’t be a big problem for most product vendors. In our experience once report is submitted, a certificate is issued within 3-5 months. 2 years seems extremely generous.

Please let us know if you have any questions.