Welcome to the Acumen Security Blog

CMUF update from the CMVP

Hi Everyone,

Some important updates the recent Cryptographic Module User Forum (CMUF) Meeting for March 2017. The joint CMVP leads Jennifer Cawthra (NIST) and Carolyn French (CSE) shared some important updates to the Implementation Under Test (IUT) and Modules In Process Listing (MIP) processes. They also discussed the recent move of modules to the Historical listing website and shared a new definition for a 2SUB. Please find details on each of these topics below:

IUTB and the MIP list:

  • The module review process begins once NIST confirm the Cost Recovery fee for the submission has been paid. To expedite this process labs can request an invoice from NIST before a module report is submitted.
  • If >90 days after IUTB the report has not been submitted – NIST will remove it from the IUT listing.
    When NIST receive the module report and see the invoice is paid module will return to its place in the queue and is added to the MIP list.

As of July 1st, 2017:

  • Stagnant modules in IUT will be dropped after 18 months on the list.
  • CMVP comments have been sent to the lab + 90 days without a response. Module put On Hold and removed from MIP list. Once comments are received module goes back on MIP list and returns to its place on queue.

As of January 1st, 2018:

  • All certifications must be completed within 2 years of report submission or IUTB request, whichever occurred first
  • At 2-year submission anniversary, module will be dropped from MIP list.
  • Vendor and lab will need to re-start the validation process from the beginning including paying a new NIST Cost Recovery Fee
  • This policy will be affect all new submissions and submissions in the queue as of 01/01/2018
  • Labs have been (and will be) notified of modules that will be dropped as of 01/01/2018

CMVP Historical Listing:

  • As of February 1st, 2017, modules validated to FIPS 140-1 and modules validated over 5 years ago have been moved to the Historical Listing.
  • 575 certificates were moved to the Historical Listing
  • These modules are not to be used for procurement by Federal Agencies.
  • If these modules are already being used, Federal Agencies makes a risk-based decision on whether to continue using them or to replace them.
  • 1SUBs where the module is unchanged will not move a module from the historical list back to the active validation list
  • 3SUBs will be accepted for up to 2 years after the modules sunset date. The resulting new certificate will appear on the active validation list.

New 2SUB definition

  • As of May 2017, IG G.8 will be updated to have a new definition for a 2SUB. It will be for extending the module’s certificate sunset date.
  • Module must meet all the latest standards/FIPS requirements/IGs and CAVP testing requirements at the time of 2SUB submission.
  • Only available to modules on the active validation list.
  • IG G.8 sent to public for comments – comments due April 14th, 2017. Ping Acumen if you would like the draft IG for review.

OpenSSL + FIPS… here to stay!

If you follow the developments in OpenSSL (who doesn’t?!?!) you would have seen the BIG NEWS posted by Steve Marquess regarding the next round of FIPS validation of OpenSSL’s FIPS Object module! This is indeed an exciting moment for all of us here at Acumen Security! We are honored to be part of this team for such a seminal FIPS validation.

The last OpenSSL crypto module FIPS validation had a profound impact on how ICT companies leverage and claim FIPS compliance and we expect this will have an even greater impact on our industry. We have seen firsthand how useful it is for companies to have a FIPS validated module for use with OpenSSL and the efficiencies it offers. The contribution of the FIPS validated OpenSSL crypto module cannot be exaggerated.

Dream_teamWe are thankful to SafeLogic and the OpenSSL project for placing their trust in us to be the Lab of choice. With this honor, we are keenly aware of the responsibility that has been shouldered upon us. Given what is riding on this FIPS validation, we aim to offer a certification that is solid and comprehensive and can withstand the scrutiny that comes with an open source validation. With multiple decades of experience and knowledge in leading and shepherding FIPS validations, we expect to bring this validation to its expected successful completion

As Steve mentioned, more details to follow, stay tuned! We will be updating our progress in the coming weeks and months. For more information about the project please contact us at info@acumensecurity.net