May 31, 2011

New FIPS 140-2 testing lab, Booz Allen Hamilton

Booz Allen Hamilton is now the most recent NIST accredited FIPS 140 testing laboratory.  The addition of CGI and BAH to the NIST website this week brings the number of FIPS labs back up to 19.

The Booz Allen Hamilton FIPS Lab is located in Maryland (USA).

Welcome, BAH!

Canadian lab, CGI, back as an accredited FIPS 140 lab

CGI is back on the NIST website of accredited FIPS 140 testing laboratories.  Back in March of 2011, I noted that CGI had dropped off the website.  Jason Lawlor (CGI Lab Manager) informed me that it was a temporary situation.  On May 24, 2011, Jason confirmed that CGI has received their accreditation as a FIPS 140 testing lab.

Welcome back!

May 27, 2011

FIPS 140-2 certificates trending down in 2011

The number of FIPS 140-2 certificates issued in 2011 is trending at a slower pace than 2010.  My unofficial projection for the end of year total has been lowered to 175 new FIPS 140-2 certs (there were 229 certs last year).

This is actually great news for anyone pursuing a FIPS 140-2 validation in 2011.  CMVP review times have significantly improved this year and there is capacity for validation testing at all of the FIPS labs.

The chart below shows the breakdown of FIPS 140-2 certificates by Laboratory for 2011 (through May 27, 2011 there are 73 new FIPS certs).  The number between the Lab name and the percentage is the number of certificates for 2011.

May 25, 2011

FIPS 140-2 turns a decade old

FIPS 140-2 was signed by the Secretary of Commerce on May 25, 2001.  Happy 10th anniversary!

One of the most popular questions I get is "When is FIPS 140-3 coming out?"  The NIST schedule for FIPS 140-3 indicates that Secretary of Commerce will receive FIPS 140-3 for signature before the end of June.  I have not seen any indication that this target time frame will be met, but I do not claim to have deep insight into the schedule.

If you have thoughts on the FIPS 140-3 schedule, please share in a comment for the benefit of others in the FIPS community.  Thanks.

May 16, 2011

CMVP review times between 5 and 10 weeks for FIPS 140-2 validations

Back in March, I posted that the CMVP review times for FIPS 140-2 validation reports had significantly improved.  Since good news doesn't travel as fast as the other kind of news, I am still trying to get the word out that FIPS validations do not take as long to complete as they used to. 

The last 8 reports submitted by InfoGard had the following CMVP review times (in weeks -- and I rounded up!): 

2, 2, 5, 5, 5, 6, 7, 7

(Now, the 2-week review times were special cases, but they are worth noting to demonstrate the heightened responsiveness.)  With these data points, I am lowering my Unofficial CMVP Review Time Estimate to "5 to 10 weeks." 

[NOTE:  My definition of "CMVP Review Time" is the time between report submission to the CMVP (Review Pending block on the Modules in Process List) to the day the Laboratory first receives comments from the CMVP (Coordination block on the Module in Process List).]

Share your experience in the comment section.