The FIPS Team at InfoGard Laboratories thanks our customers for making us the #1 FIPS Lab for the 4th year in a row!
Here is the breakdown by Laboratory:
January 7, 2013
FIPS 140-2 certificate totals up 8% in 2012
We ended 2012 with 20 FIPS Testing Laboratories. Thirteen of those Laboratories completed validations for their customers last year resulting in a total of 200 FIPS 140-2 certificates issued. That is an increase of 8% over 2011 (there were 185 certs issued in 2011).
The FIPS Team at InfoGard Laboratories thanks our customers for making us the #1 FIPS Lab for the 4th year in a row!
Here is the breakdown by Laboratory:
The FIPS Team at InfoGard Laboratories thanks our customers for making us the #1 FIPS Lab for the 4th year in a row!
Here is the breakdown by Laboratory:
January 2, 2013
FIPS 140-2 Implementation Guidance updated
The FIPS 140-2 Implementation Guidance document was updated on December 21, 2012. (You may need to refresh your browser to pick up the recent update.)
Updated Implementation Guidance:
- G.5 Maintaining validation compliance of software or firmware cryptographic modules
- Included reference to the impact to the generated key strength assurance when porting, and vendor Security Policy updates.
- G.13 Instructions for Validation Information Formatting
- For all embodiments, the OE shall be specified on the validation entry.
- G.14 Validation of Transitioning Cryptographic Algorithms and Key Lengths
- Addressed two-key Triple-DES requirements.
- D.8 Key Agreement Methods
- IG updated to address SP 800-135rev1.
November 14, 2012
FIPS 140-2 report queue
Let's take a look at the numbers for the FIPS 140-2 Modules in Process list on the NIST website (Nov 13, 2012 update).
The "Review Pending" column shows 95 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned. As you might have guessed, this is a large number of reports waiting to be reviewed (this number has increased over the year). The CMVP is responsible for moving reports to the next phase of "In Review."
The "In Review" column indicates that 17 reports have been assigned to Reviewers. My guess is that each Reviewer has between 4-6 reports in various stages of the review process (typically, 2 Reviewers are assigned to each report). The CMVP is responsible for moving reports to the "Coordination" phase.
The 52 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory. This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time. Again using my guessing skills, I estimate that each Reviewer maintains 12-18 reports in the "Coordination" phase. The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.
The 9 reports in the "Finalization" phase are near the finish line. The Reviewers' comments have been satisfied and the CMVP is completing administrative tasks prior to posting the validation certificate on the NIST website.
Because of the heavy volume and recent report activity, InfoGard increased our current estimate for the CMVP queue time to 6-7 months (this is the time between report submission -- "Review Pending" -- to the time the lab receives comments from the CMVP -- "Coordination").
Circling back to the first column, the "IUT" or "Implementation Under Test" number of 112 indicates to the CMVP that at least 112 modules are in the testing process currently. The responsibility to move a module into the "Review Pending" phase is with the Vendor and Laboratory. A report submission to the CMVP is the trigger to move the module into the "Review Pending" phase.
The FIPS 140-2 Modules in Process list is updated weekly by NIST.
The "Review Pending" column shows 95 FIPS 140-2 reports have been submitted to the CMVP but Reviewers have not yet been assigned. As you might have guessed, this is a large number of reports waiting to be reviewed (this number has increased over the year). The CMVP is responsible for moving reports to the next phase of "In Review."
The "In Review" column indicates that 17 reports have been assigned to Reviewers. My guess is that each Reviewer has between 4-6 reports in various stages of the review process (typically, 2 Reviewers are assigned to each report). The CMVP is responsible for moving reports to the "Coordination" phase.
The 52 reports in the "Coordination" phase means that the CMVP has completed their initial review and clarifying questions have been sent to the testing laboratory. This is a very high number of reports for the CMVP to manage and it has a direct impact on the queue time. Again using my guessing skills, I estimate that each Reviewer maintains 12-18 reports in the "Coordination" phase. The Vendor, Laboratory, and CMVP Reviewers all share responsibility in moving the report to the "Finalization" phase.
The 9 reports in the "Finalization" phase are near the finish line. The Reviewers' comments have been satisfied and the CMVP is completing administrative tasks prior to posting the validation certificate on the NIST website.
Because of the heavy volume and recent report activity, InfoGard increased our current estimate for the CMVP queue time to 6-7 months (this is the time between report submission -- "Review Pending" -- to the time the lab receives comments from the CMVP -- "Coordination").
Circling back to the first column, the "IUT" or "Implementation Under Test" number of 112 indicates to the CMVP that at least 112 modules are in the testing process currently. The responsibility to move a module into the "Review Pending" phase is with the Vendor and Laboratory. A report submission to the CMVP is the trigger to move the module into the "Review Pending" phase.
The FIPS 140-2 Modules in Process list is updated weekly by NIST.
November 9, 2012
NIST SP 800-90 B Draft comments due December 5
Reminder to all: Comments are due December 5, 2012 for the NIST SP 800-90 B DRAFT Recommendation for the Entropy Sources Used for Random Bit Generation.
We have carefully reviewed this document here at InfoGard and I know that NIST is very interested in receiving feedback from vendors.
At a minimum, review the document containing 5 questions NIST is asking about this Recommendation.
We have carefully reviewed this document here at InfoGard and I know that NIST is very interested in receiving feedback from vendors.
At a minimum, review the document containing 5 questions NIST is asking about this Recommendation.
October 10, 2012
NIST Random Bit Generation Workshop, Dec 5-6, 2012
NIST announced a Random Bit Generation Workshop December 5-6, 2012, in Gaithersburg, Maryland. The intended audience includes industry and government. Registration is limited and closes November 26, 2012.
The workshop will discuss SP 800-90A/B/C (with the primary focus expected to be on the entropy sources in SP 800-90B).
The workshop will discuss SP 800-90A/B/C (with the primary focus expected to be on the entropy sources in SP 800-90B).
October 3, 2012
SHA-3 winner announced
Congrats to the cryptographers of Keccak for winning NIST's SHA-3 competition.
The short SHA-3 Selection Announcement is worth the read.
I've already been asked the following question:
Q: When will SHA-3 be an approved security function for FIPS 140-2 cryptographic modules?
The answer is easy, but I do not know the date:
A: As soon as it is included in Annex A: Approved Security Functions for FIPS 140-2
Additional info: Wiki on SHA-3 NIST hash function competition
The short SHA-3 Selection Announcement is worth the read.
I've already been asked the following question:
Q: When will SHA-3 be an approved security function for FIPS 140-2 cryptographic modules?
The answer is easy, but I do not know the date:
A: As soon as it is included in Annex A: Approved Security Functions for FIPS 140-2
Additional info: Wiki on SHA-3 NIST hash function competition
Subscribe to:
Posts (Atom)