February 4, 2013


The FIPS 140-2 Cryptographic Modules Listings on the NIST website identify CST Labs by NVLAP numbers.

The following table is sorted by NVLAP number to make it easy to identify the Lab that performed a validation.  The list of NVLAP Testing Laboratories is maintained on the NIST website:  http://csrc.nist.gov/groups/STM/testing_labs/index.html

100414-0
Underwriters Laboratories, Inc.
USA - IL
100432-0
InfoGard Laboratories, Inc.
USA - CA
200002-0
CEAL: a CygnaCom Solutions Laboratory
USA - VA
200416-0
COACT Inc. CAFE Laboratory
USA - MD
200017-0
(No longer accredited) DOMUS
n/a
200423-0
Booz Allen Hamilton (BAH)
USA - MD
200996-0
Computer Sciences Corporation
USA - MD
200427-0
SAIC Accredited Testing & Evaluation (AT&E) Labs (MD)
USA - MD
200492-0
SAIC Accredited Testing & Evaluation (AT&E) Labs (VA)
USA - VA
200556-0
EWA - Canada IT Security Evaluation & Test Facility
Canada
200636-0
TÜV Informationstechnik GmbH
Germany
200648-0
(No longer accredited) Aspect Labs
n/a
200658-0
atsec Information Security Corporation
USA - TX
200697-0
ICSA Labs, An Independent Division of Verizon Business
USA - PA
200802-0
ÆGISOLVE, INC.
USA - CA
200822-0
Information Technology Security Center
Japan
200824-0
TTC IT Security Evaluation Laboratory
Taiwan
200835-0
ECSEC Laboratory Inc.
Japan
200856-0
Epoche & Espri
Spain
200900-0
Detica Lab
Australia
200901-0
UL Transaction Security
Australia
200928-0
CGI IT Security Evaluation & Test Facility
Canada
200968-0
ADVANCED DATA SECURITY
USA - CA
200983-0
Penumbra Security
USA - CA


Posted by at No comments:
Labels:

February 1, 2013

FIPS 140-2 report queue update

Now that January is behind us, it is time for an update on the FIPS 140-2 report queue.  In January 2013, 15 FIPS 140-2 certificates were issued -- 7 of those were validated by InfoGard Laboratories.  Go Team!

As of February 1, 2013, InfoGard has received comments from the CMVP for 4 reports that were submitted in July 2012 and we are waiting for comments on 4 other July reports.  All reports submitted prior to July have been reviewed by the CMVP.

My estimate for the current CMVP review time remains at 6 to 7 months.  I am actually very encouraged that my estimate has not increased since I went on record with my last estimate in November 2012.

I am carefully monitoring the Modules in Process list as this is an excellent indicator of FIPS 140-2 report activity.  The number of reports in the "Review Pending" and "In Review" columns has increased by 26 (a 23% uptick) since November 2012.

Longer review times may be ahead of us in 2013, so stay tuned for future updates.  High quality report submissions are exactly what the CMVP needs to maintain and improve their review times.

Posted by at 3 comments:
Labels:

January 14, 2013

InfoGard at RSA Conference in San Francisco

Please visit InfoGard at Booth #0554 during the RSA Conference in San Francisco February 25-28.
Posted by at No comments:
Labels:

January 7, 2013

FIPS 140-2 certificate totals up 8% in 2012

We ended 2012 with 20 FIPS Testing Laboratories.  Thirteen of those Laboratories completed validations for their customers last year resulting in a total of 200 FIPS 140-2 certificates issued.  That is an increase of 8% over 2011 (there were 185 certs issued in 2011).

The FIPS Team at InfoGard Laboratories thanks our customers for making us the #1 FIPS Lab for the 4th year in a row!

Here is the breakdown by Laboratory:




Posted by at 1 comment:
Labels:

January 2, 2013

SP 800-38F added to Annex D

NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, has been added to Annex D:  Approved Key Establishment Techniques for FIPS PUB 140-2 on January 2, 2013.
Posted by at No comments:
Labels:

FIPS 140-2 Implementation Guidance updated

The FIPS 140-2 Implementation Guidance document was updated on December 21, 2012.  (You may need to refresh your browser to pick up the recent update.)

Updated Implementation Guidance:
  • G.5 Maintaining validation compliance of software or firmware cryptographic modules
    • Included reference to the impact to the generated key strength assurance when porting, and vendor Security Policy updates.
  • G.13 Instructions for Validation Information Formatting
    • For all embodiments, the OE shall be specified on the validation entry.
  • G.14 Validation of Transitioning Cryptographic Algorithms and Key Lengths
    • Addressed two-key Triple-DES requirements.
  • D.8 Key Agreement Methods
    • IG updated to address SP 800-135rev1.
Posted by at No comments:
Labels:

November 14, 2012

FIPS 140-2 report queue

Let's take a look at the numbers for the FIPS 140-2 Modules in Process list on the NIST website (Nov 13, 2012 update).


The "Review Pending" column shows 95 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned.  As you might have guessed, this is a large number of reports waiting to be reviewed (this number has increased over the year).  The CMVP is responsible for moving reports to the next phase of "In Review."

The "In Review" column indicates that 17 reports have been assigned to Reviewers.  My guess is that each Reviewer has between 4-6 reports in various stages of the review process (typically, 2 Reviewers are assigned to each report).  The CMVP is responsible for moving reports to the "Coordination" phase.

The 52 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory.  This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time.  Again using my guessing skills, I estimate that each Reviewer maintains 12-18 reports in the "Coordination" phase.  The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.

The 9 reports in the "Finalization" phase are near the finish line.  The Reviewers' comments have been satisfied and the CMVP is completing administrative tasks prior to posting the validation certificate on the NIST website.

Because of the heavy volume and recent report activity, InfoGard increased our current estimate for the CMVP queue time to 6-7 months (this is the time between report submission -- "Review Pending" -- to the time the lab receives comments from the CMVP -- "Coordination").

Circling back to the first column, the "IUT" or "Implementation Under Test" number of 112 indicates to the CMVP that at least 112 modules are in the testing process currently.  The responsibility to move a module into the "Review Pending" phase is with the Vendor and Laboratory.  A report submission to the CMVP is the trigger to move the module into the "Review Pending" phase.

The FIPS 140-2 Modules in Process list is updated weekly by NIST.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)