FIPS 140-2 Sunset Policy Update!

CMVP; the governing body that oversees U.S. FIPS 140-2 validations, has made drastic changes over the past year to policy governing product certification longevity.

This week they went one step further and have now updated their Validation Sunsetting Policy, in a move that will impact a large number of companies and products.

Key takeaways from this release for product vendors:

  1. All validations with the most recent validation date before Feb 1, 2012 will be moved to the Historical List
  2. All FIPS 140-1 validations will be moved to the Historical List
  3. The Historical List is NOT to be used for procurement by federal agencies
  4. 1A and 1BSUB scenarios will inherit the sunset date of the original certificate and 1SUB scenarios will not reset the sunset date

Contact Corsec for help on maintaining your validation

Below is the release by CMVP, which mandates new requirements on vendors maintaining and updating their FIPS validations:

[Updated 06-01-2016][11-12-2015] — Validation Sunsetting Policy

The CMVP is adopting a five year validation sunsetting policy, effective February 1, 2017. The CMVP will move all validation entries with most recent validation dates** prior to February 1, 2012 and all FIPS 140-1 validation entries from the Active Validation Lists to the Historical Validation List. The Historical Validation List is not to be used for procurement by federal agencies. To maintain compliance with FISMA, agencies that use modules on the Historical List must make a risk management decision whether to continue to use these modules or replace them with compliant modules from the Active Validation Lists.

Through January 31, 2017, vendors may reinstate affected modules in one of the following ways:

  • Modules fully compliant with the latest standard and guidance: 1SUB scenarios, reaffirming the validation. Vendors must work with one of the NVLAP accredited Cryptographic and Security Testing Laboratories to prepare the submission for CMVP. The laboratory will review the module and confirm it complies with all applicable transitions (e.g. 2-key Triple-DES, RNG).
  • Modules that require some maintenance changes: all available revalidation scenarios – see FIPS 140-2 Implementation Guidance – G.8.
  • **[Note: The most recent validation date for a module is the latest update of the validation certificate as the result of the original submission or any of the available revalidation scenarios (1SUB, 2SUB, 4SUB).]
  • Effective July 1, 2016, for validation entries on the Historical List, the CMVP will only accept 1SUBs for administrative updates (e.g. updating contact information).  The CMVP will not accept 1SUBs for any other types of updates (e.g. adding operating environments).
  • Effective February 1, 2017, 1A and 1BSUB scenarios will inherit the sunset date of the original certificate.
  • Effective February 1, 2017, 1SUB scenarios will not reset the sunset date.

To read the full report, visit the CMVP site.