January 7, 2016

CMVP issues over 200 certificates in 2015


In 2015 the CMVP issued 206 FIPS 140-2 certificates, including a Security Level 4 certificate. This was the first Level 4 certificate since 2011.
 
Here are the totals by laboratory for 2015:

 



Congratulations to the FIPS Team at InfoGard for producing the most FIPS 140-2 certificates for the 7th straight year.

On December 4, 2015, InfoGard was acquired by UL, a global leader in safety science.

December 8, 2015

UL Acquires InfoGard to Broaden Company’s Range of Security Services


UL has acquired InfoGard, a market leader in accredited security assurance services for the payment sector and federally mandated IT secure products, and positions UL in the healthcare IT and biometric secure authentication sectors. Learn more at:

November 12, 2015

CMVP Adopts 5-year Validation Sunsetting Policy and an RNG Transition Update

Following the annual lab managers meeting and International Crypto Module Conference (ICMC) last week, the CMVP has released a few important notices that have a large impact on the community at large.

The first describes a new policy in which FIPS validation certificates older than 5 years will be moved to a "Legacy Validation List".  The Legacy Validation list is not to be used for procurement by federal agencies. This policy becomes effective January 1st, 2017. 

This new policy will certainly have a large impact on our government agencies who will potentially be in violation of FISMA when this policy takes affect.  In a way this is a good thing, though.  It keeps dated technology not up to current security guidelines from protecting sensitive information within our government.

For product vendors, there is a process to keep older modules off of this legacy list, but it does involve working with the labs to demonstrate that the module is compliant with all current standards and implementation guidance.  This work would need to take place prior to January 1, 2017.   I suggest that you begin this work now.  In some cases, depending on when the module was validated, it may be a large undertaking to demonstrate that all current guidance is being adhered to.

The second notice of interest relates to the RNG transition.  We know that RNG's will no longer be considered Approved for key generation at the end of this year.  Any module that has an RNG will be moved to the same Legacy Validation List described above.  The CMVP has allowed for updating these modules through a 1SUB like process ("bug fix" or "maintenance letter" process).  This will allow for an efficient and timely process for keeping these modules off of the legacy list.

Here is the link to the notices (again):

http://csrc.nist.gov/groups/STM/cmvp/notices.html

August 12, 2015

NIST Seeking Public Comments on ISO/IEC 19790:2012

NIST announced today that they are seeking public comments on using ISO/IEC standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities, currently specified by Federal Information Processing Standard (FIPS) 140-2.

The responses to this request will be used to plan possible changes to the FIPS standard or in a decision to use all or part of ISO/IEC 19790:2012, Security Requirements for Cryptographic Modules, for testing, conformance and validation of cryptographic algorithms and modules.

The comment period is 45 days (September 28, 2015) and all are encouraged to provide feedback.  Seeing as though the next revision of the FIPS standard is long overdue, the hope is that the comments that are provided help NIST converge on a solution.  Even if not all aspects of the current ISO standard are perfect, it is still a big improvement compared to continuing to test to FIPS 140-2.