May 31, 2016

CMVP Validation Sunsetting Policy

Based on a CMVP notice from November 2015, we know that starting in 2017 the CMVP will move all 140-1 certificates and any 140-2 certificates older than 5 years to the Historical List. The goal is to keep current, valid crypto modules in circulation amongst federal agencies.  Remember that the Historical List is a “do not buy” list for US federal government procurement purposes. The previous policy was such that the 5 year clock would start running from the last date that a certificate was modified.  Between now and February 1, 2017, minor updates, such as updating vendor contact information or the module name, will reset the 5 year clock. However, after February 1, 2017, the policy is such that any validation submission that is a maintenance effort (i.e., submissions that are 1, 2, and 4 SUB submissions in CMVP speak) would NOT reset the 5 year running clock. With this change, vendors have the rest of 2016 to complete a minor update effort that would extend the life of their certificates. After that, in order to stay off of the Historical List, it must be proven that the module meets all current guidance.

Another topic to be aware of is that rebranding of an OEM module (1SUB scenario A submissions) will be under much more scrutiny by labs and CMVP reviewers when this policy goes into effect. It will have to be demonstrated that the rebranded module meets all current guidance. Alternatively, the CMVP may choose to only accept 1SUB scenario A submissions within a certain amount of time from the original OEM validation date. CMVP will provide further clarification as it relates to how they will accept rebranded modules.
We can expect an update to the validation sunsetting policy on the CMVP website soon.