November 14, 2012

FIPS 140-2 report queue

Let's take a look at the numbers for the FIPS 140-2 Modules in Process list on the NIST website (Nov 13, 2012 update).


The "Review Pending" column shows 95 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed (this number has increased over the year).  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 17 reports have been assigned to Reviewers.  My guess is that each Reviewer has between 4-6 reports in various stages of the review process (typically, 2 Reviewers are assigned to each report).  The CMVP is responsible for moving reports to the "Coordination" phase.

The 52 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  Again using my guessing skills, I estimate that each Reviewer maintains 12-18 reports in the "Coordination" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The 9 reports in the "Finalization" phase are near the finish line.  The Reviewers' comments have been satisfied and the CMVP is completing administrative tasks prior to posting the validation certificate on the NIST website.

Because of the heavy volume and recent report activity, InfoGard increased our current estimate for the CMVP queue time to 6-7 months (this is the time between report submission -- "Review Pending" -- to the time the lab receives comments from the CMVP -- "Coordination").

Circling back to the first column, the "IUT" or "Implementation Under Test" number of 112 indicates to the CMVP that at least 112 modules are in the testing process currently.  The responsibility to move a module into the "Review Pending" phase is with the Vendor and Laboratory.  A report submission to the CMVP is the trigger to move the module into the "Review Pending" phase.

The FIPS 140-2 Modules in Process list is updated weekly by NIST.
Posted by at No comments:
Labels: ,

November 9, 2012

NIST SP 800-90 B Draft comments due December 5

Reminder to all:  Comments are due December 5, 2012 for the NIST SP 800-90 B DRAFT Recommendation for the Entropy Sources Used for Random Bit Generation.

We have carefully reviewed this document here at InfoGard and I know that NIST is very interested in receiving feedback from vendors.

At a minimum, review the document containing 5 questions NIST is asking about this Recommendation.




Posted by at No comments:
Labels: ,

October 10, 2012

NIST Random Bit Generation Workshop, Dec 5-6, 2012

NIST announced a Random Bit Generation Workshop December 5-6, 2012, in Gaithersburg, Maryland.  The intended audience includes industry and government.  Registration is limited and closes November 26, 2012.

The workshop will discuss SP 800-90A/B/C (with the primary focus expected to be on the entropy sources in SP 800-90B).


Posted by at No comments:
Labels:

October 3, 2012

SHA-3 winner announced

Congrats to the cryptographers of Keccak for winning NIST's SHA-3 competition.

The short SHA-3 Selection Announcement is worth the read.

I've already been asked the following question:
Q:  When will SHA-3 be an approved security function for FIPS 140-2 cryptographic modules?

The answer is easy, but I do not know the date:
A:  As soon as it is included in Annex A:  Approved Security Functions for FIPS 140-2

Additional info:  Wiki on SHA-3 NIST hash function competition
Posted by at No comments:
Labels:

September 25, 2012

Unofficial FIPS 140-3 schedule

Thank you, dear readers, for your interest in my "unofficial FIPS 140-3 schedule" updates.  By popular demand, I've been asked to communicate my best guesses again.

Here are the latest dates from NIST's FIPS 140-3 Pub Development page:

  • On October 1, 2012, the additional public comments period closes for specific sections of the second draft of FIPS 140-3 (comments on sections not specifically listed will not be considered).
  • During 2Q of 2013 (April/May/June), all public comments will be addressed by NIST.
  • The remaining schedule milestones do not have target dates so this is where I begin my guessing...

Here are my thoughts on the remainder of FIPS 140-3 schedule:

  • The scope of the current public comment period is focused.  My approach is to pick more aggressive dates than I have in the past as I do not anticipate any significant changes to the working draft.
  • 3Q of 2013 (July/August/September) - FIPS 140-3 presented to the Commerce Department for signature.
  • 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective.  The Derived Test Requirements have already been published by now.  Modules may be validated by Labs for FIPS 140-3 requirements.
  • 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.  
  • 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.

In other news, ISO/IEC 19790:2012 was published in August 2012.  This is an international standard that evolved from the original FIPS 140-3 draft.  The Derived Test Requirements for 19790, ISO/IEC 24759, may be published in 4Q 2013 (October/November/December).  If the FIPS 140-3 publication followed an alternate path to adopt 19790 (with allowances for US and Canadian specific security functions and other requirements), then the overall schedule may be a Quarter sooner than my estimated schedule above.  There are no official plans for FIPS 140-3 to adopt 19790.

Reference Links:
Official FIPS 140-3 Pub Development
ISO / IEC 19790:2012

 
Posted by at No comments:
Labels:

August 31, 2012

NIST seeking comments on FIPS 140-3 draft

Here is the link to the latest FIPS 140-3 draft:   http://csrc.nist.gov/news_events/index.html#august30

Comments are requested on or before October 1, 2012.

NIST plans to address all public comments in the 2nd Quarter of 2013.  The updated FIPS 140-3 Development Status information is here:  http://csrc.nist.gov/groups/ST/FIPS140_3/


Posted by at No comments:
Labels:

August 30, 2012

CMVP review times currently in the 4-6 month range

InfoGard's Quality Manager informed me that CMVP review times have slipped to the 4 to 6 month range for FIPS reports this summer.  We believe the reasons for the summer slow-down are due to CMVP vacations, new Implementation Guidance, and a surge in report submissions by Labs in the spring.

When selecting a FIPS Laboratory for your next FIPS project, make sure to ask about the Lab's report review process prior to submission.  InfoGard has a deliberate review process involving an independent technical review by a FIPS Security Engineer, a Quality review, a Signatory review, and then a final quick Quality check at the end.  This is our secret sauce for delivering high-quality reports to the CMVP.  Clear, consistent, and compliant reports are easily reviewed by the CMVP allowing you to reach your product sales goals sooner.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)