November 15, 2013

CMVP queue time is currently 5.5 months for FIPS 140-2 reports

InfoGard's current estimate for the CMVP queue time is 5.5 months (this is the time between report submission -- "Review Pending" -- to the time the Lab receives comments from the CMVP -- "Coordination").  

As of November 15, 2013, the CMVP has provided comments on all InfoGard reports submitted through May 2013 (the oldest InfoGard report that has not received CMVP comments was submitted June 10, 2013).

The CMVP focus on the report queue since returning from the US government shutdown in October has been phenomenal.  Right after the NIST side of the CMVP returned to work last month, I expected the queue to hold steady at 8 months.

Please contribute your comments to this post or contact me directly.

Contact info:
Mark Minnoch
InfoGard Laboratories

October 18, 2013

No perfect storm for the FIPS 140-2 report queue?

After reviewing the CMVP's Modules in Process list pre- and post-government shutdown, the expected "welcome back to work" flood of reports did not materialize.  In the simplest of explanations, the CMVP queue only increased by 3 reports during the furlough.

Let me explain my thinking.  The following picture shows the Modules in Process totals updated 10/17/2013 (after NIST returned to work):

The "Review Pending" column shows 73 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed, but this number was 69 before the shutdown.  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 12 reports have been assigned to Reviewers.  This is actually a decrease from 19 shown on the 9/30/2013 report.  7 or more reports moved into the coordination phase once NIST returned.  The CMVP is responsible for moving reports to the"Coordination" phase.

The 86 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  This compares to 80 at the end of September and we would expect to see this number increase with the decrease in the "In Review" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The "Finalization" phase still has 11 reports pre- and post-shutdown.

In comparing the pre- and post-shutdown grand totals for all reports, there is only a +3 gain.

"What does it all mean?"  (side note: a former co-worker used this question instead of a "hello" greeting every time someone passed him in the hall)

Here are my thoughts (and please share yours in the comment section):

  1. We may have dodged a bullet.  Perhaps I will be asking for forgiveness for my earlier prediction that review times would certainly increase. (Let's hope that I do get to apologize!)
  2. CSEC, the Canadian side of the CMVP, may have rocked though some reports while NIST was shutdown.
I will continue to monitor the report queue, but for now I estimate the CMVP queue review time is 8 months.

October 11, 2013

Shut the backdoor

If you have a FIPS 140-2 cryptographic module that implements the Dual EC DRBG from SP800-90A, then you may be fielding questions from your customers after they read articles like this one from the IEEE Spectrum:  Can You Trust NIST?

Please contact me if InfoGard performed your FIPS 140-2 validation.  I would be happy to help determine if your Dual EC DRBG function can be disabled in a new version of your crypto module without going through a lengthy revalidation effort.

Mark Minnoch 

October 7, 2013

FIPS 140-2 certs down 16% in 2013

For the first 3 calendar quarters of 2013, the CMVP has issued 126 new FIPS 140-2 certificates.  At this pace, the expected number of certificates in 2013 will be 16% less than 2012.

The NIST shutdown in October will almost certainly push the number of FIPS certificates to a low level not seen since 2007.

Here are the 2013 FIPS 140-2 certificate totals by Laboratory through September 30:

October 4, 2013

Alternate website for FIPS 140-2 certificate information

Don't let the NIST shutdown keep you from accessing details of the FIPS 140-2 validated cryptographic modules.  The folks at Cryptsoft maintain a copy of the information that is publicly available from NIST (well, available during non-furlough days):

The information is current (last update was September 30, 2013).

October 1, 2013

NIST CMVP employees are furloughed

Any work requiring NIST CMVP involvement will be delayed until the US government executes a resolution to the budget.  This shut down will impact all FIPS 140-2 validations and revalidations in review by the CMVP, maintenance letters, and algorithm testing.

InfoGard and other FIPS laboratories will remain open.  Lab testing services that do not require NIST CMVP involvement will continue.

The CSEC side of the CMVP will continue their operations although no validations will be completed without a NIST signatory. 

This shut down will increase the already long CMVP review times for FIPS 140-2 reports.  The CMVP is currently reviewing reports that were submitted in January.

July 29, 2013

Mini-update on the FIPS 140-3 schedule

The official schedule shows that the FIPS 140-3 document is now ready for publication (July 2013) and it will be presented to the Commerce Department for signature by the Secretary of Commerce in August 2013.  

With this mini-update from the Cryptographic Technology Group (the responsible organization for developing the FIPS 140-3 publication), I am still comfortable with my guesses at the schedule I made in September 2012:

  • 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective.  The Derived Test Requirements have already been published by now.  Modules may be validated by Labs for FIPS 140-3 requirements.
  • 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.  
  • 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.

Please note that the updated FIPS 140-3 document has not been made publicly available yet.

July 25, 2013

FIPS 140-2 Implementation Guidance updated

The CMVP published an update to the FIPS 140-2 Implementation Guidance (IG) on July 25, 2013.

Note:  You must read 9.10 if you have a software-only module. 

New Implementation Guidance:
  • 3.5 Documentation Requirements for Cryptographic Module Services
  • 9.9 Pair-Wise Consistency Self-Test When Generating a Key Pair
  • 9.10 Power-Up Tests for Software Module Libraries
  • D.11 References to the Support of Industry Protocols
Updated Implementation Guidance:
  • D.8 Key Agreement Methods
    • Resolution section has been updated.
  • D.9 Key Transport Methods
    • Resolution section has been updated.

July 3, 2013

99 FIPS 140-2 certificates during first 6 months of 2013

The CMVP is maintaining their pace for issuing FIPS 140-2 certificates.  Ninety-nine (99) FIPS 140-2 certificates have been issued during the first 6 months of 2013 (for comparison, 200 certificates were issued in all of 2012).

Here is the breakdown of certificates by the FIPS Laboratories for the first half of 2013:

May 1, 2013

7.5 months for the CMVP queue

InfoGard's current estimate for the CMVP queue time is 7.5 months (this is the time between report submission -- "Review Pending" -- to the time the Lab receives comments from the CMVP -- "Coordination").  

  • 7.5 months is the expected maximum length of time -- InfoGard has received CMVP comments well under that time for some of our reports.
  • This estimate is based on InfoGard's report submissions and the trends observed in the Modules in Process list.

I was encouraged during my review of the most recent FIPS 140-2 Modules in Process list.  The number of modules in the "Review Pending" and "In Review" columns total 96.  This number represents the CMVP report queue and the trend is pushing downwards (this total has been over 110 recently).

I thought that CMVP review times were going to steadily increase throughout 2013.  Our information shows that the review times are holding steady.

The 71 reports in "Coordination" is higher than desired.  Vendors, Labs, and the CMVP all share responsibility in moving reports from "Coordination" to "Finalization."  Reducing the number of reports in "Coordination" allows the CMVP to focus more on the reports in the review process.  When less time is spent on "Coordination" efforts, the queue time for report reviews improves.

If you are a Vendor with a report that is currently in "Coordination," take the following proactive steps to assist in the validation effort:

  1. Stay in communication with your FIPS Laboratory or Consultant.  If you have actions to complete, let your FIPS contact know your target completion date for your action items.
  2. If you are updating your FIPS 140-2 Security Policy (likely), then be sure to follow your configuration management system to properly version control the updated document (e.g., change the version number and date).
  3. Ask your Laboratory (or Consultant) to provide the date they expect to submit responses back to the CMVP. Request confirmation when responses are returned.
  4. At InfoGard, we contact the CMVP if we have not received an update after 2 weeks.  If you have not received an update after 2 weeks, contact your Laboratory (or Consultant).  (Please do not contact the CMVP directly.  The CMVP politely requests that you communicate through your Laboratory.)
  5. When the CMVP responds to the Laboratory, your report either moves into "Finalization" or there are additional comments.  For additional comments, repeat steps 1-4.
Please contribute your comments to this post or contact me directly.  

Contact info:
Mark Minnoch
InfoGard Laboratories
FIPS Program Manager

March 25, 2013

FIPS 140-2 report queue update

As of March 20, 2013, the CMVP has issued 52 certificates for the year (19 of those were validated by InfoGard Laboratories).  

As of March 25, 2013, InfoGard has received comments for 7 of 8 reports submitted in July 2012.  All reports submitted prior to July have been reviewed by the CMVP.  No August reports have been returned for comments yet.  

I am increasing my estimate for the current CMVP review time to 8 months.  My February post estimated a queue time that was holding at 6-7 months.  As I mentioned in my earlier post, this increase is not a surprise as the number of reports that the CMVP is processing has dramatically increased compared to last year.  

February 4, 2013

The FIPS 140-2 Cryptographic Modules Listings on the NIST website identify CST Labs by NVLAP numbers.

The following table is sorted by NVLAP number to make it easy to identify the Lab that performed a validation.  The list of NVLAP Testing Laboratories is maintained on the NIST website:

February 1, 2013

FIPS 140-2 report queue update

Now that January is behind us, it is time for an update on the FIPS 140-2 report queue.  In January 2013, 15 FIPS 140-2 certificates were issued -- 7 of those were validated by InfoGard Laboratories.  Go Team!

As of February 1, 2013, InfoGard has received comments from the CMVP for 4 reports that were submitted in July 2012 and we are waiting for comments on 4 other July reports.  All reports submitted prior to July have been reviewed by the CMVP.

My estimate for the current CMVP review time remains at 6 to 7 months.  I am actually very encouraged that my estimate has not increased since I went on record with my last estimate in November 2012.

I am carefully monitoring the Modules in Process list as this is an excellent indicator of FIPS 140-2 report activity.  The number of reports in the "Review Pending" and "In Review" columns has increased by 26 (a 23% uptick) since November 2012.

Longer review times may be ahead of us in 2013, so stay tuned for future updates.  High quality report submissions are exactly what the CMVP needs to maintain and improve their review times.

January 7, 2013

FIPS 140-2 certificate totals up 8% in 2012

We ended 2012 with 20 FIPS Testing Laboratories.  Thirteen of those Laboratories completed validations for their customers last year resulting in a total of 200 FIPS 140-2 certificates issued.  That is an increase of 8% over 2011 (there were 185 certs issued in 2011).

The FIPS Team at InfoGard Laboratories thanks our customers for making us the #1 FIPS Lab for the 4th year in a row!

Here is the breakdown by Laboratory:

January 2, 2013

SP 800-38F added to Annex D

NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, has been added to Annex D:  Approved Key Establishment Techniques for FIPS PUB 140-2 on January 2, 2013.

FIPS 140-2 Implementation Guidance updated

The FIPS 140-2 Implementation Guidance document was updated on December 21, 2012.  (You may need to refresh your browser to pick up the recent update.)

Updated Implementation Guidance:
  • G.5 Maintaining validation compliance of software or firmware cryptographic modules
    • Included reference to the impact to the generated key strength assurance when porting, and vendor Security Policy updates.
  • G.13 Instructions for Validation Information Formatting
    • For all embodiments, the OE shall be specified on the validation entry.
  • G.14 Validation of Transitioning Cryptographic Algorithms and Key Lengths
    • Addressed two-key Triple-DES requirements.
  • D.8 Key Agreement Methods
    • IG updated to address SP 800-135rev1.