May 29, 2015

Urgent: CMVP Guidance Effective Immediately

This morning, the CMVP released a notice to all labs acknowledging that not all SP 800-90A DRBG implementations submitted for validation have been entirely compliant with the SP 800-90A standard.

Specifically, Section 11.3 of the standard requires that certain health checks be performed.  It was not always clear that these health checks were required for CMVP validation.  In fact, based on some interpretations, wording within SP800-90A itself would leave some to believe that they were, indeed, not required.

The CMVP's stance, based on guidance from the Cryptographic Technology Group, is now that these health checks are absolutely required in order to claim that a DRBG implementation is compliant to 800-90.  This guidance is effective IMMEDIATELY, and even impacts modules that are currently in the queue and in the Coordination phase.

For reports currently in the queue where the module does not implement a compliant DRBG, the lab is to notify the CMVP to put the submission on HOLD until the DRBG implementation comes into compliance and is tested by the lab.
(UPDATE as of 6/1/15 - For reports in the queue where the module does NOT implement the health checks, the lab is still to notify the CMVP to place the report on HOLD, but there are two options for moving forward. One, is to bring the module into compliance and resubmit the report with all appropriate test evidence.  Or two, is to rework the validation documentation and report to show the DRBG implementation as Non-Compliant.  This would include identifying all services within the SP and report that utilize the non-compliant DRBG.  The lab can resubmit the reworked SP and report to the CMVP and the validation will proceed accordingly).

If your particular module is impacted by this, make the appropriate changes now and work with your lab to have them tested (i.e. operational tested and/or code reviewed).