The NIST shutdown in October will almost certainly push the number of FIPS certificates to a low level not seen since 2007.
Here are the 2013 FIPS 140-2 certificate totals by Laboratory through September 30:
October 7, 2013
FIPS 140-2 certs down 16% in 2013
For the first 3 calendar quarters of 2013, the CMVP has issued 126 new FIPS 140-2 certificates. At this pace, the expected number of certificates in 2013 will be 16% less than 2012.
The NIST shutdown in October will almost certainly push the number of FIPS certificates to a low level not seen since 2007.
Here are the 2013 FIPS 140-2 certificate totals by Laboratory through September 30:
The NIST shutdown in October will almost certainly push the number of FIPS certificates to a low level not seen since 2007.
Here are the 2013 FIPS 140-2 certificate totals by Laboratory through September 30:
October 4, 2013
Alternate website for FIPS 140-2 certificate information
Don't let the NIST shutdown keep you from accessing details of the FIPS 140-2 validated cryptographic modules. The folks at Cryptsoft maintain a copy of the information that is publicly available from NIST (well, available during non-furlough days): http://www.cryptsoft.com/fips140/
The information is current (last update was September 30, 2013).
The information is current (last update was September 30, 2013).
October 1, 2013
NIST CMVP employees are furloughed
Any work requiring NIST CMVP involvement will be delayed until the US government executes a resolution to the budget. This shut down will impact all FIPS 140-2 validations and revalidations in review by the CMVP, maintenance letters, and algorithm testing.
InfoGard and other FIPS laboratories will remain open. Lab testing services that do not require NIST CMVP involvement will continue.
The CSEC side of the CMVP will continue their operations although no validations will be completed without a NIST signatory.
This shut down will increase the already long CMVP review times for FIPS 140-2 reports. The CMVP is currently reviewing reports that were submitted in January.
InfoGard and other FIPS laboratories will remain open. Lab testing services that do not require NIST CMVP involvement will continue.
The CSEC side of the CMVP will continue their operations although no validations will be completed without a NIST signatory.
This shut down will increase the already long CMVP review times for FIPS 140-2 reports. The CMVP is currently reviewing reports that were submitted in January.
July 29, 2013
Mini-update on the FIPS 140-3 schedule
The official schedule shows that the FIPS 140-3 document is now ready for publication (July 2013) and it will be presented to the Commerce Department for signature by the Secretary of Commerce in August 2013.
Please note that the updated FIPS 140-3 document has not been made publicly available yet.
With this mini-update from the Cryptographic Technology Group (the responsible organization for developing the FIPS 140-3 publication), I am still comfortable with my guesses at the schedule I made in September 2012:
- 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective. The Derived Test Requirements have already been published by now. Modules may be validated by Labs for FIPS 140-3 requirements.
- 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.
- 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.
July 25, 2013
FIPS 140-2 Implementation Guidance updated
The CMVP published an update to the FIPS 140-2 Implementation Guidance (IG) on July 25, 2013.
Note: You must read 9.10 if you have a software-only module.
Note: You must read 9.10 if you have a software-only module.
New Implementation Guidance:
- 3.5 Documentation Requirements for Cryptographic Module Services
- 9.9 Pair-Wise Consistency Self-Test When Generating a Key Pair
- 9.10 Power-Up Tests for Software Module Libraries
- D.11 References to the Support of Industry Protocols
Updated Implementation Guidance:
- D.8 Key Agreement Methods
- Resolution section has been updated.
- D.9 Key Transport Methods
- Resolution section has been updated.
July 3, 2013
99 FIPS 140-2 certificates during first 6 months of 2013
The CMVP is maintaining their pace for issuing FIPS 140-2 certificates. Ninety-nine (99) FIPS 140-2 certificates have been issued during the first 6 months of 2013 (for comparison, 200 certificates were issued in all of 2012).
Here is the breakdown of certificates by the FIPS Laboratories for the first half of 2013:
Here is the breakdown of certificates by the FIPS Laboratories for the first half of 2013:
May 1, 2013
7.5 months for the CMVP queue
InfoGard's current estimate for the CMVP queue time is 7.5 months (this is the time between report submission -- "Review Pending" -- to the time the Lab receives comments from the CMVP -- "Coordination").
Notes:
- 7.5 months is the expected maximum length of time -- InfoGard has received CMVP comments well under that time for some of our reports.
- This estimate is based on InfoGard's report submissions and the trends observed in the Modules in Process list.
I was encouraged during my review of the most recent FIPS 140-2 Modules in Process list. The number of modules in the "Review Pending" and "In Review" columns total 96. This number represents the CMVP report queue and the trend is pushing downwards (this total has been over 110 recently).
The 71 reports in "Coordination" is higher than desired. Vendors, Labs, and the CMVP all share responsibility in moving reports from "Coordination" to "Finalization." Reducing the number of reports in "Coordination" allows the CMVP to focus more on the reports in the review process. When less time is spent on "Coordination" efforts, the queue time for report reviews improves.
If you are a Vendor with a report that is currently in "Coordination," take the following proactive steps to assist in the validation effort:
- Stay in communication with your FIPS Laboratory or Consultant. If you have actions to complete, let your FIPS contact know your target completion date for your action items.
- If you are updating your FIPS 140-2 Security Policy (likely), then be sure to follow your configuration management system to properly version control the updated document (e.g., change the version number and date).
- Ask your Laboratory (or Consultant) to provide the date they expect to submit responses back to the CMVP. Request confirmation when responses are returned.
- At InfoGard, we contact the CMVP if we have not received an update after 2 weeks. If you have not received an update after 2 weeks, contact your Laboratory (or Consultant). (Please do not contact the CMVP directly. The CMVP politely requests that you communicate through your Laboratory.)
- When the CMVP responds to the Laboratory, your report either moves into "Finalization" or there are additional comments. For additional comments, repeat steps 1-4.
Please contribute your comments to this post or contact me directly.
Contact info:
Mark Minnoch
InfoGard Laboratories
FIPS Program Manager
805-783-0810
Subscribe to:
Posts (Atom)