How to include additional operating environments in your Security Policy

© Mats Tooming | Dreamstime Stock Photos

Let's assume that you have met the porting requirements for listing additional operating environments in your FIPS 140-2 Security Policy. (As a reminder, those requirements are detailed in the FIPS 140-2 Implementation Guidance "G.5 Maintaining validation compliance of software or firmware cryptographic modules")

Now, you would like to include the proper wording in your Security Policy. You may use the statements below (in bold type) to add operating environments supported by your module but not included in the FIPS validation testing process:

As allowed by FIPS 140-2 Implementation Guidance G.5, the validation status of the Cryptographic Module is maintained when operated in the following additional operating environments:  [operating environment 1],  [operating environment 2], …

The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when the specific operational environment is not listed on the validation certificate.

Note 1: Don't skip on the last statement -- it's a requirement.

Note 2: The additional operating environments that meet the porting requirements are not listed on the validation certificate posted on the NIST FIPS Validated Modules website.  They will only appear in your Security Policy document that is available from that website.

Please leave a comment or contact me if you have questions.

Mark Minnoch is an Account Manager at InfoGard Laboratories.  

Build your own FIPS 140-3 survival kit

"When is FIPS 140-3 coming out?"

This is probably the question I am asked most often. It's my own fault for trying to provide my best guesses at a FIPS 140-3 schedule.

Even though my predictions have not panned out as expected, that won't deter me from attempting to be helpful.

Since the last NIST activity was to replace dates with "TBDs" on the official FIPS 140-3 schedule, my recommendation to stay ahead of the FIPS 140-3 curve is to begin building your own FIPS 140-3 Survival Kit. The first items to place in the kit are the following ISO documents:

• ISO/IEC 19790 Security requirements for cryptographic modules
• ISO/IEC 24759 Test requirements for cryptographic modules

ISO 19790 may be what NIST selects as the replacement standard for FIPS 140-2.  

ISO 24759 is the "DTR" (with all the ASxx.xx, VExx.xx.xx, and TExx.xx.xx statements as you know and love them).

Even though I've been through several California earthquakes, I am not able to predict when they will occur. I do know that I need to prepare for the next one. 

I am not certain that these ISO documents will be adopted by NIST, but it is a good idea to prepare. 

In earthquakes and FIPS, it's best to have a survival kit ready and not need it.

(Go to the next post in the FIPS 140-3 Survival Kit series)

Mark Minnoch is an Account Manager at InfoGard Laboratories.  During the 1989 Loma Prieta earthquake, he was in Santa Clara... under his desk.

FIPS and sharks

The CMVP recently emerged from "Shark Week" with all limbs attached. In fact, the results of "Shark Week" are even better than fresh fish tacos with guacamole at the beach!

The CMVP probably has a different interpretation of "Shark Week" than I do, but I don't want to interrupt any of the Reviewers to ask them for a definition (they've been busy).

At the beginning of 2014, the CMVP was faced with an enormous backlog of FIPS 140-2 reports to review -- more than 150 reports were waiting for Reviewers to complete their initial pass. When I saw this report backlog, I feared that we might start seeing CMVP review times of 1 year or more. "Shark Week" was CMVP's strategy to attack the report queue.

No mercy.
No phone calls.
No meetings.

They became sharks. Reports were their prey.

How did they do?

Much better than the seals swimming in open waters. The March 10, 2014 Modules in Process report shows only 70 reports are in the "Review Pending" or "In Review" columns --  that's more than a 50% reduction in review backlog.

There's still work to do -- the report also shows 112 reports in the "Coordination" column. The "Coordination" phase indicates that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory. This is the highest I've seen the Coordination value. The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report out of the "Coordination" phase so the certificate process can begin.

Will we see 3-4 month review times again this year? It could happen (and I would have never believed it in January).

Next week is InfoGard's "Shark Week."  We have some report comments to attack!

Mark Minnoch is an Account Manager at InfoGard Laboratories.  He was chased to shore once while surfing after seeing a shark fin that actually belonged to a dolphin.