May 1, 2013

7.5 months for the CMVP queue

InfoGard's current estimate for the CMVP queue time is 7.5 months (this is the time between report submission -- "Review Pending" -- to the time the Lab receives comments from the CMVP -- "Coordination").  

  • 7.5 months is the expected maximum length of time -- InfoGard has received CMVP comments well under that time for some of our reports.
  • This estimate is based on InfoGard's report submissions and the trends observed in the Modules in Process list.

I was encouraged during my review of the most recent FIPS 140-2 Modules in Process list.  The number of modules in the "Review Pending" and "In Review" columns total 96.  This number represents the CMVP report queue and the trend is pushing downwards (this total has been over 110 recently).

I thought that CMVP review times were going to steadily increase throughout 2013.  Our information shows that the review times are holding steady.

The 71 reports in "Coordination" is higher than desired.  Vendors, Labs, and the CMVP all share responsibility in moving reports from "Coordination" to "Finalization."  Reducing the number of reports in "Coordination" allows the CMVP to focus more on the reports in the review process.  When less time is spent on "Coordination" efforts, the queue time for report reviews improves.

If you are a Vendor with a report that is currently in "Coordination," take the following proactive steps to assist in the validation effort:

  1. Stay in communication with your FIPS Laboratory or Consultant.  If you have actions to complete, let your FIPS contact know your target completion date for your action items.
  2. If you are updating your FIPS 140-2 Security Policy (likely), then be sure to follow your configuration management system to properly version control the updated document (e.g., change the version number and date).
  3. Ask your Laboratory (or Consultant) to provide the date they expect to submit responses back to the CMVP. Request confirmation when responses are returned.
  4. At InfoGard, we contact the CMVP if we have not received an update after 2 weeks.  If you have not received an update after 2 weeks, contact your Laboratory (or Consultant).  (Please do not contact the CMVP directly.  The CMVP politely requests that you communicate through your Laboratory.)
  5. When the CMVP responds to the Laboratory, your report either moves into "Finalization" or there are additional comments.  For additional comments, repeat steps 1-4.
Please contribute your comments to this post or contact me directly.  

Contact info:
Mark Minnoch
InfoGard Laboratories
FIPS Program Manager