October 18, 2013

No perfect storm for the FIPS 140-2 report queue?

After reviewing the CMVP's Modules in Process list pre- and post-government shutdown, the expected "welcome back to work" flood of reports did not materialize.  In the simplest of explanations, the CMVP queue only increased by 3 reports during the furlough.

Let me explain my thinking.  The following picture shows the Modules in Process totals updated 10/17/2013 (after NIST returned to work):

The "Review Pending" column shows 73 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed, but this number was 69 before the shutdown.  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 12 reports have been assigned to Reviewers.  This is actually a decrease from 19 shown on the 9/30/2013 report.  7 or more reports moved into the coordination phase once NIST returned.  The CMVP is responsible for moving reports to the"Coordination" phase.

The 86 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  This compares to 80 at the end of September and we would expect to see this number increase with the decrease in the "In Review" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The "Finalization" phase still has 11 reports pre- and post-shutdown.

In comparing the pre- and post-shutdown grand totals for all reports, there is only a +3 gain.

"What does it all mean?"  (side note: a former co-worker used this question instead of a "hello" greeting every time someone passed him in the hall)

Here are my thoughts (and please share yours in the comment section):

  1. We may have dodged a bullet.  Perhaps I will be asking for forgiveness for my earlier prediction that review times would certainly increase. (Let's hope that I do get to apologize!)
  2. CSEC, the Canadian side of the CMVP, may have rocked though some reports while NIST was shutdown.
I will continue to monitor the report queue, but for now I estimate the CMVP queue review time is 8 months.

October 11, 2013

Shut the backdoor

If you have a FIPS 140-2 cryptographic module that implements the Dual EC DRBG from SP800-90A, then you may be fielding questions from your customers after they read articles like this one from the IEEE Spectrum:  Can You Trust NIST?

Please contact me if InfoGard performed your FIPS 140-2 validation.  I would be happy to help determine if your Dual EC DRBG function can be disabled in a new version of your crypto module without going through a lengthy revalidation effort.

Mark Minnoch

October 7, 2013

FIPS 140-2 certs down 16% in 2013

For the first 3 calendar quarters of 2013, the CMVP has issued 126 new FIPS 140-2 certificates.  At this pace, the expected number of certificates in 2013 will be 16% less than 2012.

The NIST shutdown in October will almost certainly push the number of FIPS certificates to a low level not seen since 2007.

Here are the 2013 FIPS 140-2 certificate totals by Laboratory through September 30:

October 4, 2013

Alternate website for FIPS 140-2 certificate information

Don't let the NIST shutdown keep you from accessing details of the FIPS 140-2 validated cryptographic modules.  The folks at Cryptsoft maintain a copy of the information that is publicly available from NIST (well, available during non-furlough days):  http://www.cryptsoft.com/fips140/

The information is current (last update was September 30, 2013).

October 1, 2013

NIST CMVP employees are furloughed

Any work requiring NIST CMVP involvement will be delayed until the US government executes a resolution to the budget.  This shut down will impact all FIPS 140-2 validations and revalidations in review by the CMVP, maintenance letters, and algorithm testing.

InfoGard and other FIPS laboratories will remain open.  Lab testing services that do not require NIST CMVP involvement will continue.

The CSEC side of the CMVP will continue their operations although no validations will be completed without a NIST signatory. 

This shut down will increase the already long CMVP review times for FIPS 140-2 reports.  The CMVP is currently reviewing reports that were submitted in January.