Based on a CMVP notice from November 2015, we
know that starting in 2017 the CMVP will move all 140-1 certificates and any 140-2
certificates older than 5 years to the Historical
List. The goal is to keep current, valid crypto modules in circulation
amongst federal agencies. Remember that
the Historical List is a “do not buy” list for US federal government procurement
purposes. The previous policy was such that the 5 year clock would start
running from the last date that a certificate was modified. Between now and February 1, 2017, minor
updates, such as updating vendor contact information or the module name, will
reset the 5 year clock. However, after February 1, 2017, the policy is such that
any validation submission that is a maintenance effort (i.e., submissions that
are 1, 2, and 4 SUB submissions in CMVP speak) would NOT reset the 5 year
running clock. With this change, vendors have the rest of 2016 to complete a minor
update effort that would extend the life of their certificates. After that, in
order to stay off of the Historical List, it must be proven that the module
meets all current guidance.
Another topic to be aware of is that rebranding of an OEM
module (1SUB scenario A submissions) will be under much more scrutiny by labs
and CMVP reviewers when this policy goes into effect. It will have to be
demonstrated that the rebranded module meets all current guidance. Alternatively,
the CMVP may choose to only accept 1SUB scenario A submissions within a certain
amount of time from the original OEM validation date. CMVP will provide further
clarification as it relates to how they will accept rebranded modules.
We can expect an update to the validation sunsetting policy
on the CMVP website soon.