November 14, 2012

FIPS 140-2 report queue

Let's take a look at the numbers for the FIPS 140-2 Modules in Process list on the NIST website (Nov 13, 2012 update).

The "Review Pending" column shows 95 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed (this number has increased over the year).  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 17 reports have been assigned to Reviewers.  My guess is that each Reviewer has between 4-6 reports in various stages of the review process (typically, 2 Reviewers are assigned to each report).  The CMVP is responsible for moving reports to the "Coordination" phase.

The 52 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  Again using my guessing skills, I estimate that each Reviewer maintains 12-18 reports in the "Coordination" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The 9 reports in the "Finalization" phase are near the finish line.  The Reviewers' comments have been satisfied and the CMVP is completing administrative tasks prior to posting the validation certificate on the NIST website.

Because of the heavy volume and recent report activity, InfoGard increased our current estimate for the CMVP queue time to 6-7 months (this is the time between report submission -- "Review Pending" -- to the time the lab receives comments from the CMVP -- "Coordination").

Circling back to the first column, the "IUT" or "Implementation Under Test" number of 112 indicates to the CMVP that at least 112 modules are in the testing process currently.  The responsibility to move a module into the "Review Pending" phase is with the Vendor and Laboratory.  A report submission to the CMVP is the trigger to move the module into the "Review Pending" phase.

The FIPS 140-2 Modules in Process list is updated weekly by NIST.

November 9, 2012

NIST SP 800-90 B Draft comments due December 5

Reminder to all:  Comments are due December 5, 2012 for the NIST SP 800-90 B DRAFT Recommendation for the Entropy Sources Used for Random Bit Generation.

We have carefully reviewed this document here at InfoGard and I know that NIST is very interested in receiving feedback from vendors.

At a minimum, review the document containing 5 questions NIST is asking about this Recommendation.

October 10, 2012

NIST Random Bit Generation Workshop, Dec 5-6, 2012

NIST announced a Random Bit Generation Workshop December 5-6, 2012, in Gaithersburg, Maryland.  The intended audience includes industry and government.  Registration is limited and closes November 26, 2012.

The workshop will discuss SP 800-90A/B/C (with the primary focus expected to be on the entropy sources in SP 800-90B).

October 3, 2012

SHA-3 winner announced

Congrats to the cryptographers of Keccak for winning NIST's SHA-3 competition.

The short SHA-3 Selection Announcement is worth the read.

I've already been asked the following question:
Q:  When will SHA-3 be an approved security function for FIPS 140-2 cryptographic modules?

The answer is easy, but I do not know the date:
A:  As soon as it is included in Annex A:  Approved Security Functions for FIPS 140-2

Additional info:  Wiki on SHA-3 NIST hash function competition

September 25, 2012

Unofficial FIPS 140-3 schedule

Thank you, dear readers, for your interest in my "unofficial FIPS 140-3 schedule" updates.  By popular demand, I've been asked to communicate my best guesses again.

Here are the latest dates from NIST's FIPS 140-3 Pub Development page:

  • On October 1, 2012, the additional public comments period closes for specific sections of the second draft of FIPS 140-3 (comments on sections not specifically listed will not be considered).
  • During 2Q of 2013 (April/May/June), all public comments will be addressed by NIST.
  • The remaining schedule milestones do not have target dates so this is where I begin my guessing...

Here are my thoughts on the remainder of FIPS 140-3 schedule:

  • The scope of the current public comment period is focused.  My approach is to pick more aggressive dates than I have in the past as I do not anticipate any significant changes to the working draft.
  • 3Q of 2013 (July/August/September) - FIPS 140-3 presented to the Commerce Department for signature.
  • 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective.  The Derived Test Requirements have already been published by now.  Modules may be validated by Labs for FIPS 140-3 requirements.
  • 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.  
  • 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.

In other news, ISO/IEC 19790:2012 was published in August 2012.  This is an international standard that evolved from the original FIPS 140-3 draft.  The Derived Test Requirements for 19790, ISO/IEC 24759, may be published in 4Q 2013 (October/November/December).  If the FIPS 140-3 publication followed an alternate path to adopt 19790 (with allowances for US and Canadian specific security functions and other requirements), then the overall schedule may be a Quarter sooner than my estimated schedule above.  There are no official plans for FIPS 140-3 to adopt 19790.

Reference Links:
Official FIPS 140-3 Pub Development
ISO / IEC 19790:2012


August 31, 2012

NIST seeking comments on FIPS 140-3 draft

Here is the link to the latest FIPS 140-3 draft:

Comments are requested on or before October 1, 2012.

NIST plans to address all public comments in the 2nd Quarter of 2013.  The updated FIPS 140-3 Development Status information is here:

August 30, 2012

CMVP review times currently in the 4-6 month range

InfoGard's Quality Manager informed me that CMVP review times have slipped to the 4 to 6 month range for FIPS reports this summer.  We believe the reasons for the summer slow-down are due to CMVP vacations, new Implementation Guidance, and a surge in report submissions by Labs in the spring.

When selecting a FIPS Laboratory for your next FIPS project, make sure to ask about the Lab's report review process prior to submission.  InfoGard has a deliberate review process involving an independent technical review by a FIPS Security Engineer, a Quality review, a Signatory review, and then a final quick Quality check at the end.  This is our secret sauce for delivering high-quality reports to the CMVP.  Clear, consistent, and compliant reports are easily reviewed by the CMVP allowing you to reach your product sales goals sooner.

August 29, 2012

InfoGard first to reach 500 FIPS certs!

We like reasons to celebrate at InfoGard and we thank our customers for allowing us to achieve this milestone.

Earlier this month, InfoGard became the first FIPS 140-2 testing laboratory to pass the 500 FIPS Certificates mark!  That's 28% of the total during the lifetime of the program.  Thank you, InfoGard Customers, for trusting us with your FIPS 140-2 projects.

May 3, 2012

FIPS 140-2 Implementation Guidance updated (again)

The CMVP has been busy updating the FIPS 140-2 Implementation Guidance.  If you delayed reviewing the April update, then delay no further.  The May update deserves your attention.

See the May 2, 2012 document and changes here:

Note:  You may need to clear your browser's cache to open the latest IG document.

March 26, 2012

InfoGard featured in local newspaper

InfoGard Laboratories was featured in San Luis Obispo's local newspaper.  The Tribune published the article on Saturday, March 24.  A short version of the article may be read here:

March 6, 2012

FIPS 180-4 published

NIST published FIPS 180-4 Secure Hash Standard (SHS).

The updates from FIPS 180-3 are listed in Appendix C of the new FIPS 180-4 publication.  In short, the changes are:
  1. FIPS 180-4 relaxes the padding restriction described in FIPS 180-3
  2. SHA-512/224 and SHA-512/256 were added to the standard

January 20, 2012

FIPS 140-2 Consolidated Validation Certificates

Q:  How long does it take for a recently validated cryptographic module to appear on a FIPS 140-2 Consolidated Validation Certificate?

A:  At the end of each month, the CMVP generates a list of cryptographic modules that were issued new FIPS 140-2 certificates.  The Consolidated Validation Certificate is signed by a NIST representative in the United States and then routed to Canada for signature by a CSEC representative.  The signature and posting process takes about two weeks. 

For example, modules that received a certificate number in the month of January will appear on the FIPS 140-2 Consolidated Validation Certificate that gets posted mid-February.

January 10, 2012

January 5, 2012

FIPS 140-2 Annex D updated

On December 20, 2011, Annex D was updated with the following change:

Key Establishment Techniques
Added: Recommendation for Key Derivation through Extraction-then-Expansion,
Special Publication 800-56C

FIPS certificate totals for 2011 down 19%

The number of FIPS 140-2 certificates issued in 2011 was down 19% compared to 2010.  A total of 185 certificates were issued in 2011 (229 were issued in 2010).  Here are the totals by Lab for 2011: