May 31, 2016

CMVP Validation Sunsetting Policy

Based on a CMVP notice from November 2015, we know that starting in 2017 the CMVP will move all 140-1 certificates and any 140-2 certificates older than 5 years to the Historical List. The goal is to keep current, valid crypto modules in circulation amongst federal agencies.  Remember that the Historical List is a “do not buy” list for US federal government procurement purposes. The previous policy was such that the 5 year clock would start running from the last date that a certificate was modified.  Between now and February 1, 2017, minor updates, such as updating vendor contact information or the module name, will reset the 5 year clock. However, after February 1, 2017, the policy is such that any validation submission that is a maintenance effort (i.e., submissions that are 1, 2, and 4 SUB submissions in CMVP speak) would NOT reset the 5 year running clock. With this change, vendors have the rest of 2016 to complete a minor update effort that would extend the life of their certificates. After that, in order to stay off of the Historical List, it must be proven that the module meets all current guidance.

Another topic to be aware of is that rebranding of an OEM module (1SUB scenario A submissions) will be under much more scrutiny by labs and CMVP reviewers when this policy goes into effect. It will have to be demonstrated that the rebranded module meets all current guidance. Alternatively, the CMVP may choose to only accept 1SUB scenario A submissions within a certain amount of time from the original OEM validation date. CMVP will provide further clarification as it relates to how they will accept rebranded modules.
We can expect an update to the validation sunsetting policy on the CMVP website soon.

January 7, 2016

CMVP issues over 200 certificates in 2015

In 2015 the CMVP issued 206 FIPS 140-2 certificates, including a Security Level 4 certificate. This was the first Level 4 certificate since 2011.
Here are the totals by laboratory for 2015:


Congratulations to the FIPS Team at InfoGard for producing the most FIPS 140-2 certificates for the 7th straight year.

On December 4, 2015, InfoGard was acquired by UL, a global leader in safety science.

December 8, 2015

UL Acquires InfoGard to Broaden Company’s Range of Security Services

UL has acquired InfoGard, a market leader in accredited security assurance services for the payment sector and federally mandated IT secure products, and positions UL in the healthcare IT and biometric secure authentication sectors. Learn more at: