November 14, 2012

FIPS 140-2 report queue

Let's take a look at the numbers for the FIPS 140-2 Modules in Process list on the NIST website (Nov 13, 2012 update).


The "Review Pending" column shows 95 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed (this number has increased over the year).  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 17 reports have been assigned to Reviewers.  My guess is that each Reviewer has between 4-6 reports in various stages of the review process (typically, 2 Reviewers are assigned to each report).  The CMVP is responsible for moving reports to the "Coordination" phase.

The 52 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  Again using my guessing skills, I estimate that each Reviewer maintains 12-18 reports in the "Coordination" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The 9 reports in the "Finalization" phase are near the finish line.  The Reviewers' comments have been satisfied and the CMVP is completing administrative tasks prior to posting the validation certificate on the NIST website.

Because of the heavy volume and recent report activity, InfoGard increased our current estimate for the CMVP queue time to 6-7 months (this is the time between report submission -- "Review Pending" -- to the time the lab receives comments from the CMVP -- "Coordination").

Circling back to the first column, the "IUT" or "Implementation Under Test" number of 112 indicates to the CMVP that at least 112 modules are in the testing process currently.  The responsibility to move a module into the "Review Pending" phase is with the Vendor and Laboratory.  A report submission to the CMVP is the trigger to move the module into the "Review Pending" phase.

The FIPS 140-2 Modules in Process list is updated weekly by NIST.

November 9, 2012

NIST SP 800-90 B Draft comments due December 5

Reminder to all:  Comments are due December 5, 2012 for the NIST SP 800-90 B DRAFT Recommendation for the Entropy Sources Used for Random Bit Generation.

We have carefully reviewed this document here at InfoGard and I know that NIST is very interested in receiving feedback from vendors.

At a minimum, review the document containing 5 questions NIST is asking about this Recommendation.