May 1, 2013

7.5 months for the CMVP queue

InfoGard's current estimate for the CMVP queue time is 7.5 months (this is the time between report submission -- "Review Pending" -- to the time the Lab receives comments from the CMVP -- "Coordination").  

  • 7.5 months is the expected maximum length of time -- InfoGard has received CMVP comments well under that time for some of our reports.
  • This estimate is based on InfoGard's report submissions and the trends observed in the Modules in Process list.

I was encouraged during my review of the most recent FIPS 140-2 Modules in Process list.  The number of modules in the "Review Pending" and "In Review" columns total 96.  This number represents the CMVP report queue and the trend is pushing downwards (this total has been over 110 recently).

I thought that CMVP review times were going to steadily increase throughout 2013.  Our information shows that the review times are holding steady.

The 71 reports in "Coordination" is higher than desired.  Vendors, Labs, and the CMVP all share responsibility in moving reports from "Coordination" to "Finalization."  Reducing the number of reports in "Coordination" allows the CMVP to focus more on the reports in the review process.  When less time is spent on "Coordination" efforts, the queue time for report reviews improves.

If you are a Vendor with a report that is currently in "Coordination," take the following proactive steps to assist in the validation effort:

  1. Stay in communication with your FIPS Laboratory or Consultant.  If you have actions to complete, let your FIPS contact know your target completion date for your action items.
  2. If you are updating your FIPS 140-2 Security Policy (likely), then be sure to follow your configuration management system to properly version control the updated document (e.g., change the version number and date).
  3. Ask your Laboratory (or Consultant) to provide the date they expect to submit responses back to the CMVP. Request confirmation when responses are returned.
  4. At InfoGard, we contact the CMVP if we have not received an update after 2 weeks.  If you have not received an update after 2 weeks, contact your Laboratory (or Consultant).  (Please do not contact the CMVP directly.  The CMVP politely requests that you communicate through your Laboratory.)
  5. When the CMVP responds to the Laboratory, your report either moves into "Finalization" or there are additional comments.  For additional comments, repeat steps 1-4.
Please contribute your comments to this post or contact me directly.  

Contact info:
Mark Minnoch
InfoGard Laboratories
FIPS Program Manager


  1. Hi Mark,

    This query is not relevant to this post, but I couldn't find a better place. Excuse me for this improper placement. I would love to repost it if there is a suitable thread, so that others get helped.

    In one of our high availability solution, we want to use TWO HSMs (FIPS 140-2 Level-3 certified). We would also like to load balance the requests to scale up to TWO HSMs.

    For this design, we need to copy CSPs generated on one HSM to the other HSM.
    Can a CSP be exported from HSM in encrypted/wrapped form and then be imported to other HSM?

    If one can export CSPs in wrapped form, I have the following question:

    HSMs from different vendors may have different import/export mechanisms. They may not be compatible. In this case, can we unwrap the exported CSP and wrap it as expected by the other HSM and import it?

    I would appreciate your insightful comments.


    1. Phani,

      SP 800-38F (Key Wrapping) is listed in FIPS 140-2 Annex D as an Approved Key Establishment Technique. You are correct, that CSPs transferred between HSMs must be encrypted/wrapped.

      Since you need a way to support other methods, verify with your FIPS Laboratory that your key establishment techniques are allowed before you begin development.

      I made some assumptions in trying to understand your question: "can we unwrap the exported CSP and wrap it as expected by the other HSM and import it?"

      Please provide additional details using HSM "A" and HSM "B" when describing the key establishment process if my response above is not helpful to you.

    2. Hi Mark,

      Thank you the clarification.

      Following description is to make sure that we are on same page.

      I have a machine with two HSMs A and B from different vendors. Both HSMs support key establishment schemes(KES), but are of different methods described in SP 800-56.
      Here is my algorithm to copy CSPs from HSM-A to HSM-B.

      1) HSM-A and Host Machine runs KES to generate a Key Wrap Key, KWK-A
      2) HSM-B and Host Machine runs KES to generate a Key Wrap Key, KWK-B
      3) HSM-A has a CSP, this will exported to Host wrapping with KWK-A
      4) Host can unwrap it with KWK-A and then wrap it with KEK-B
      5) Import the KEK-B wrapped CSP to HSM-B.

      Is this valid?