New Guidance On FIPS 140-2 Listings

The Cryptographic Module Validation Program (CMVP), which was established by NIST to validate modules for the Federal Information Processions Standard (FIPS), has announced upcoming policy changes for the Modules In Process (MIP) list and Implementation Under Test (IUT) phase.

CMVP has stated that “Over the past year, the CMVP has made great strides in reducing the amount of time to complete a validation. To continue to improve our efficiency by focusing on modules where the lab and vendor are motivated, the CMVP will implement the following policies.”

Effective July 1, 2017:

1.    The CMVP will automatically drop modules in the IUT phase after 18 months

2.    The amount of time for the labs to respond to CMVP comments will be reduced from 120 days to 90 days. After 90 days, the module will be placed on hold and removed from the MIP list

Effective January 1, 2018:

1.    The CMVP will drop modules that have not been validated within 2 years of submission or IUTB, whichever occurred first. When the module is dropped, the vendor and lab will have to restart the validation process by sending an updated submission and paying a new cost recovery fee at the current rate

What does this Mean for Current and Future Validations?

If you are currently in the IUT phase of your validation, it is critical that you are steadily moving forward with all necessary requirements. Companies that have been in this phase for an extended period of time are at risk of wasting months if not years of hard work. Companies with a lack of experience and expertise on the requirements may need additional support to ensure they are not removed from the validation process.

For future validation efforts, the proper planning and analysis of your product is key. Establishing the proper benchmarks and understanding how your product matches the requirements will help ensure you do not get caught in engineering delays that could cause you to “sit” in the IUT phase and ultimately throw out of the process.

Managing your validation and aligning resources to ensure proper identification, creation, and review of all materials is a must for companies hoping to finish in a timely manner.

Need help with your validation?

Not sure where to go from here?

Corsec has a wide array of services to help you wherever you are in the validation process. Speak directly to an expert who can help you get back on track today!

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe