October 18, 2013

No perfect storm for the FIPS 140-2 report queue?

After reviewing the CMVP's Modules in Process list pre- and post-government shutdown, the expected "welcome back to work" flood of reports did not materialize.  In the simplest of explanations, the CMVP queue only increased by 3 reports during the furlough.

Let me explain my thinking.  The following picture shows the Modules in Process totals updated 10/17/2013 (after NIST returned to work):

The "Review Pending" column shows 73 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed, but this number was 69 before the shutdown.  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 12 reports have been assigned to Reviewers.  This is actually a decrease from 19 shown on the 9/30/2013 report.  7 or more reports moved into the coordination phase once NIST returned.  The CMVP is responsible for moving reports to the"Coordination" phase.

The 86 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  This compares to 80 at the end of September and we would expect to see this number increase with the decrease in the "In Review" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The "Finalization" phase still has 11 reports pre- and post-shutdown.

In comparing the pre- and post-shutdown grand totals for all reports, there is only a +3 gain.

"What does it all mean?"  (side note: a former co-worker used this question instead of a "hello" greeting every time someone passed him in the hall)

Here are my thoughts (and please share yours in the comment section):

  1. We may have dodged a bullet.  Perhaps I will be asking for forgiveness for my earlier prediction that review times would certainly increase. (Let's hope that I do get to apologize!)
  2. CSEC, the Canadian side of the CMVP, may have rocked though some reports while NIST was shutdown.
I will continue to monitor the report queue, but for now I estimate the CMVP queue review time is 8 months.

