NIAP archives Products with Outdated RNG

NIAP, the governing body over Common Criteria in the U.S., announced last week that it would be removing products from their Product Compliant List (PCL) that do not meet new Random Number Generator (RNG) requirements.  This announcement is directly tied to current U.S. government purchasing policies. In a similar case, CMVP, the organization that oversees FIPS 140-2, implemented changes to their RNG requirements, effectively removing thousands of products from their procurable solutions list.

NIAP posted the announcement last week:

“Effective January 2016, the random number/bit generators specified in ANSI X9.31 and DUAL_EC_DRBG are disallowed for the U.S. government. NIST provided notice in SP 800-131A, dated January 2011, and SP 800-131A Revision 1, dated November 2015 about the January 2016 effective date. As a result, NIAP is no longer posting products using the ANSI X9.31 RNG and/or DUAL_EC_DRBG to the Product Compliant List (PCL). In addition, NIAP is reviewing each product on the PCL affected by the NIST transition.  Products which only utilize a disallowed RNG will be archived immediately and vendors will be notified. For products which employ multiple RNG/DBRGs, vendors will be given a 30-day timeframe to determine, and submit an Impact Analysis Report (IAR),  if their product may be updated through NIAP’s Assurance Continuity process.” You can find the post here.

In a shift from standard operating procedure, NIAP is now reviewing products and removing them based on current Common Criteria policies. Previously, all products were validated against the criteria that were required at the time that the product went through the evaluation process.  The product’s certificate would have remained valid for 24 months, at which point the vendor would then need to seek an updated evaluation to stay up to date on any changes to the criteria. This change could impact a large number of products and will force vendors to take swift and immediate action if they wish to keep their products in the hands of their customers.

Contact Corsec for help on maintaining your current certification and avoid costly de-listing in the future.