January 6, 2015

Record number of FIPS 140-2 certificates issued in 2014

In 2014, The CMVP validated the most FIPS 140-2 cryptographic modules in a given year in the history of the program. 233 new FIPS certificates were issued last year, which surpassed the previous high of 229 in 2010.

Here are the totals by Laboratory for 2014:

Congratulations to the FIPS Team at InfoGard Laboratories.  That's 6 years in a row of producing the most FIPS 140-2 certificates (2009-2014).

December 5, 2014

The RNG Transition is Coming!

The RNG transition in 2016 is fast approaching.  Is your cryptographic module prepared?

Per the SP800-131A transition guidance, the following is stated in regards to the RNG transition:

"The use of the RNGs specified in FIPS 186-2, [X9.31] and [X9.62] is deprecated from 2011 through December 31, 2015, and disallowed after 2015".

Put simply, if a module utilizes one of the Random Number Generators (RNGs) in question for the purposes of key generation, the module will no longer have a compliant key generation method starting in January 2016. All cryptographic keys generated using the disallowed RNG will no longer be considered Approved.

This will not only affect future validations but be retroactive for all currently validated cryptographic modules.  Although CMVP would not confirm their specific course of action on January 1, 2016, we do know that a large percentage of FIPS 140-2 validated modules will be without a compliant mechanism to generate approved cryptographic keys, placing agencies using these cryptographic modules in a precarious position as they are required to use FIPS validated cryptographic modules.  Without updates to this functionality, federal agencies would be in direct violation of FISMA 2002.

So what are your options? If you are currently in the process, or plan to undergo FIPS 140-2 validation testing on a new module in the near future, you will need to ensure that your RNG is one defined in Special Publication 800-90A.  If you already have a FIPS 140-2 validated product and that device implements one or more of the soon to be disallowed RNGs, you will need to undergo revalidation testing with an approved RNG in order to maintain your validation.

October 2, 2014

Certificates and Queue Time Updates

At the end of the second quarter, we wrote about the CMVP being on a record pace for issuing FIPS 140-2 certificates in 2014.  Well, three quarters of the year have gone by now, and the CMVP remains on track.  One hundred ninety-one (191) FIPS 140-2 certificates have been issued during these 9 months of 2014. At the current pace, the projection for 2014 is 254 certificates (down from a projection of 262 in July).  We're still looking at the CMVP blowing by last year's mark of 208 certificates and the all-time record of 229 in 2010.

Here is the breakdown of certificates by the FIPS Laboratories for the first three quarters of 2014.



A quick update about the CMVP report queue:
InfoGard's current estimate for the CMVP queue time is 3-4 months (this is the time between report submission -- "Review Pending" -- to the time the Lab receives comments from the CMVP -- "Coordination").

Obviously I can't predict the future, but there is no indication that this current queue time will not be maintained.  It's a good sign for the remainder of the year and heading into 2015.  The CMVP was able to reduce the queue from 8-9 months last year to 3-4 months this year amid all of the algorithm transitions that took place, not an easy task. Next year should be a breeze comparatively.

September 3, 2014

What a Great 400 Weeks!

[Mark Minnoch posting one last time for The FIPS Lab blog]

I am so fortunate to have been part of the best Cryptographic Security Testing Laboratory these past 400 weeks (my InfoGard start date was January 2, 2007). I wanted to stay at least 500 weeks, but I ended up accepting an opportunity to join wolfSSL to help change the security world in a different way.

Yes, I will dearly miss my awesome co-workers and customers. The security world is a small place so I expect to keep in touch with many of you. Please send me a connection request on LinkedIn:

Marc Ireland, InfoGard's FIPS Program Manager, will be your new "FIPS Lab" blogger. Here I am passing InfoGard's "Top Tiger" Award to Marc for taking over the blog. Please let him know what topics you would like to see covered in The FIPS Lab blog!

Marc Ireland (Left) accepting the "Top Tiger" Award from Mark Minnoch

Mark Minnoch is now the new Account Manager at wolfSSL.

Marc Ireland is the FIPS Program Manager at InfoGard Laboratories and new author of The FIPS Lab blog.

July 1, 2014

FIPS 140-4 Draft Available

The CMVP posted a proposed draft of FIPS 140-4 today. This draft includes a warning statement that vendors are strongly advised not to design to requirements of draft FIPS 140-4 if they conflict with the requirements of FIPS 140-2.


Let's recap where we stand with FIPS 140-4:

  1. No schedule. The Division Chief position at NIST has still not been "officially" filled. Expect no progress or schedule before the new Division Chief is announced.
  2. No surprise. The FIPS 140-4 draft is an 11 page document that points to ISO/IEC 19790:2012. 
  3. No overlap. If you are the proactive type, do not jump to the draft standard too early. Meeting a FIPS 140-4 requirement will not allow you a free pass on an annoying FIPS 140-2 requirement if they conflict.   
The Vendor and Lab communities need to become more active in driving FIPS 140-4. 

QUESTION: "How can I positively influence the adoption of FIPS 140-4?" 

ANSWER: Contact Charles Romine, the Director of the Information Technology Laboratory at NIST. In the FOREWORD section of the FIPS 140-4 draft, the Director welcomes all comments. (A physical address is provided in the draft but a quick search on nist.gov shows the following e-mail for Dr. Romine: charles.romine@nist.gov)

Make "FIPS 140-4 Feedback" the subject of your e-mail.

Here are some things to think about when crafting your feedback to the Director:

  1. With the current 13 year-old FIPS 140-2 standard, will you be satisfied testing your future products to those aging requirements?
  2. Can you make the world a better place for government agencies by designing your products to more relevant requirements?
  3. Share your development lead times with the Director. Express how important it is for you to understand (and plan for) requirement changes.
My feedback e-mail has already been sent.

Mark Minnoch is an Account Manager at InfoGard Laboratories.  He covers FIPS 140-4 updates like TMZ covers a paparazzi-dodging star.

CMVP Could Set Record in 2014 for FIPS 140-2 Certificates

The CMVP is on a record pace for issuing FIPS 140-2 certificates in 2014.  One hundred thirty-one (131) FIPS 140-2 certificates have been issued during the first 6 months of 2014. At the current pace, the projection for 2014 is 262 certificates -- that would smash the 208 certificates issued in 2013 and crush CMVP's all-time record of 229 in 2010.

Here is the breakdown of certificates by the FIPS Laboratories for the first half of 2014. 

A few folks were on travel (or camera shy), but most of the InfoGard FIPS Team are pictured here.

Mark Minnoch is an Account Manager at InfoGard Laboratories. The InfoGard FIPS Team produces more FIPS certificates for our customers than any other lab.

June 5, 2014

Save $2000 on Your FIPS Project!

Congrats to all the new 2014 high school graduates. This is an exciting time in your life and I would like to share a bit of advice with you.

If your parents are involved in a FIPS 140-2 project at work, then be sure to tell them how they can save their company $2000 or more.

This tip is almost guaranteed to work its way back into an awesome graduation present for you!

The NIST Cost Recovery fees for FIPS 140-2 reports are increasing on August 1, 2014.

Cost Recovery Fee
(through July 31, 2014)
Cost Recovery Fee
(starting Aug 1, 2014)

Also, beginning August 1, 2014, revalidation reports (3SUBs) will require a $2000 Cost Recovery fee (currently there is no Cost Recovery fee for 3SUBs).

Here is your take-away: complete your FIPS 140-2 testing in time to get your report submitted to the CMVP no later than July 31, 2014.

Mark Minnoch is an Account Manager at InfoGard Laboratories. Mark helps technology vendors save money and make money!