Cryptography, FIPS 140-2, and Lab Changes – What You Need to Know

Corsec brings highlights from recent events – offering insight into the future of Cryptographic Validations, Lab Reviews, and a potential new Inter-Agency Agreement.

Cryptographic Validations, Quo Vadis? and apropos of FIPS 140-2

Cryptographic validations currently do not have an international acceptance, but the future for cryptographic validations looks promising in terms of mutual recognition. The public commenting period on the potential use of International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790 for cryptographic validation activities, currently specified by FIPS 140-2 ended on 09/28/2015. 

While the formal acceptance of ISO 19790 is still pending, NIST at recent industry events announced that it is their intention to continue to specify the cryptographic mechanisms used by the U.S. And to that extent, NIST is working towards having multiple US standards in place to support the transition to ISO 19790 for all future cryptographic validations. 

Contact Corsec to find out more about the transition, and how having ISO 19790 in place gives the vendor the choice as to which validating authorities receive test data.

Lab Competency

CMVP in the near future will be tightening lab accreditation requirements, putting in place rigorous competency exams between the established labs to prove competency around entropy analysis, algorithm testing and physical testing. These restrictions come as a result of poor performance by labs and frustration from the schemes.

Uncertain which lab to select for your validation?  Need insight on which labs will remain accredited and how requirement changes will affect your certification efforts?  Corsec’s Advisory and Enterprise Lab Services will help guide you the endeavor and help streamline your validation with a trusted and established lab.

New Inter-Agency Agreement

NIST and National Information Assurance Partnership (NIAP) are now working on reestablishing an inter-agency agreement. The prospects of this agreement will branch the testing responsibilities to both parties in an expedient way. Implications could affect Evaluation Assurance Level 2 (EAL2) validations in the FIPS 140-2 standard and adoption of the General Purpose Operating System (GPOS) Protection Profile (PP).

What does this mean for your product?  Choosing the right path to validation is essential and could not be more complex.  Discuss your approach with our engineers that sit on the technical working groups for each Protection Profile (PP).