The post 2019 FIPS Implementation Guidance Updates appeared first on Corsec Security, Inc.®.

Corsec would like to recognize our partner Ivanti, the company that unifies IT to better manage and secure the digital workplace, for their dedication to securing systems and organizational commitment to security certifications.

Ivanti recently completed the Common Criteria certification process for their Ivanti® Patch for Windows a second time through, having done so under the Canadian scheme at an EAL 2+. After completing stringent third party testing, organizations around the globe can rest assured knowing the Ivanti Patch for Windows is still secure. To learn more about the product and their listing, see their full announcement here.

About Common Criteria

Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology security products. The standard consists of several predetermined evaluation assurance levels, each one more stringent than the last. Common Criteria allows vendors to have their products tested against a chosen level by an independent third-party testing laboratory. The Common Criteria Mutual Recognition Agreement (CCRA) is a pact, which was designed to allow all evaluations up to an evaluation assurance level (EAL) 2, to be recognized by all participating countries, regardless of where the evaluation was completed. There are currently 28 countries involved in the CCRA, including the United States and Canada, with others that follow unofficially such as the EU. The U.S. government mandates Common Criteria certification of security products for federal purchases. The National Information Assurance Acquisition Policy, NSTISSP No. 11, requires agencies to purchase only those commercial security products that have met specified third-party assurance requirements and have been tested by an accredited national laboratory.

About Ivanti

Ivanti unifies IT and Security Operations to better manage and secure the digital workplace. From PCs to mobile devices, VDI, and the data center, Ivanti discovers IT assets on-premises and in the cloud, improves IT service delivery, and reduces risk with insights and automation. The company also helps organizations leverage modern technology in the warehouse and across the supply chain to improve delivery without modifying backend systems. Ivanti is headquartered in Salt Lake City, Utah, and has offices all over the world. For more information, visit www.ivanti.com and follow @GoIvanti.

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

          

The post Ivanti Completes Common Criteria Certification appeared first on Corsec Security, Inc.®.

Stagnant Modules:

• IUTB – The new implementation guidance addresses when the official review begins based upon receipt of the report and payment submission.
• IUTB Removal – Modules on the IUTB for longer than 90 days with no report will be put On Hold and removed from the list.
• IUTB Re-Listing – Once the invoice is paid AND the report is received, the module will be placed back on the list.

• IUT – Modules will automatically be dropped after sitting on the list for 18 months, aside from modules that are a result of a stagnant IUTB

• MIP List – Modules sent to the lab with no comments file from the lab after 120 days will be put On Hold and removed from the MIP list.
• Effective July 1, 2017, that 120 period will be reduced to 90 days.
• MIP Re-Listing – When the lab sends the comments file back, the module is retuned to its place in the queue and will be added back to the MIP list.

• Validations – Effective January 1, 2018, all submissions must be completed within 2 years of the report submission date or the UTB request date (whichever occurred first).  After 2 years, the module will be dropped. The process will then need to start over again, including payment of fees. This will affect all new and current submissions.

The Historical List:

• Effective February 1, 2017, all modules that were not validated or revalidated within the past 5 years were dropped (575 certs).
• These certifications ARE NOT TO BE USED FOR PROCUREMENT BY FEDERAL AGENCIES.  If your module was removed, your customers could discontinue use of your product and cease all future purchases.
• Re-Listing – 1SUBs will be allowed for administrative updates where the module is unchanged and 3SUBs will be required for up to 2 years after the certificate’s sunset date.

2SUB Definition:

• Effective May 2017, a 2SUBs will be allowed for extending the certificate’s sunset date, if, the Module has not changed, the module meets all of the latest standards, implementation guidance, and algorithm testing at time of submission, and finally, if the module has not yet been sunset.

Please Contact Corsec if you have any questions, concerns, or need to augment your current validation.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Corsec Social Media

The post CMVP Changes to FIPS 140-2 appeared first on Corsec Security, Inc.®.

The CMVP is adopting a five year validation sunsetting policy, effective February 1, 2017. The CMVP will move all validation entries with most recent validation dates** prior to February 1, 2012 and all FIPS 140-1 validation entries from the Active Validation Lists to the Historical Validation List.

The Historical Validation List is not to be used for procurement by federal agencies. To maintain compliance with FISMA, agencies that use modules on the Historical List must make a risk management decision whether to continue to use these modules or replace them with compliant modules from the Active Validation Lists.

Through January 31, 2017, vendors may reinstate affected modules in one of the following two ways:

1. Modules fully compliant with the latest standard and guidance:
   1SUB scenarios, reaffirming the validation. Vendors must work with one of the NVLAP accredited Cryptographic and Security Testing Laboratories to prepare the submission for CMVP. The laboratory will review the module and confirm it complies with all applicable transitions (e.g. 2-key Triple-DES, RNG).
2. Modules that require some maintenance changes:
   Review all revalidation scenarios: FIPS 140-2 Implementation Guidance – G.8.

**Note: The most recent validation date for a module is the latest update of the validation certificate as the result of the original submission or any of the available revalidation scenarios (1SUB, 2SUB, 4SUB).

• Effective July 1, 2016, for validation entries on the Historical List, the CMVP will only accept 1SUBs for administrative updates (e.g. updating contact information). The CMVP will not accept 1SUBs for any other types of updates (e.g. adding operating environments).
• Effective February 1, 2017, 1A and 1BSUB scenarios will inherit the sunset date of the original certificate.
• Effective February 1, 2017, 1SUB scenarios will not reset the sunset date.

Subscribe to Corsec emails and receive updates directly to your inbox!

The post Updates to CMVP’s Sunsetting Policy appeared first on Corsec Security, Inc.®.

The post Security Certification Maintenance appeared first on Corsec Security, Inc.®.

Understanding how to create your certification budget, and taking the necessary steps to follow through with that budget, can reduce your costs and simplify the certification process. We are frequently asked, “How much does certification cost?” This is similar to asking, “How much does a car cost?” The real answer is, “It depends.”

The first step in understanding how to budget for certification is to fully understand the scope of your project. Certification costs vary widely depending upon that scope. If yours is too broad, you may be needlessly spending money on a certification that will not provide a good return on investment. If your scope is too narrow, you may fail to capitalize on the true value of certification. Going through the process to properly identify the scope of your certification is the most important step to forming a meaningful budget for the project. Perhaps the key aspect in identifying the scope is determining the product or system to be evaluated. Once you’ve decided on a boundary or Target of the Evaluation (TOE) you will need to:

1. Determine the path and options available to you. For FIPS 140-2, you have the option of 4 validation levels. For Common Criteria, you may chose to certify under a Protection Profile (PP) or an Evaluation Assurance Level (EAL). These options can be done in numerous countries around the globe. When listing on the the APL, you need to determine which STIGs apply to your product.
2. Determine if the product will need to be modified in any way in order to meet requirements and how those modifications fit into the current development plan.

You have to go through the process to understand what you are certifying, and why, in order to understand what the budgetary requirements will be. Once you understand the scope of your certification process, you can begin to plan a reasonable budget. To start, make sure you cover all of the costs in your budget. Next, you must understand which parts of the budget are variable, and which parts are fixed. The following is a list of expenses that every good certification budget should include:

1. Documentation preparation

2. Project management costs

3. Development costs for algorithm testing/test case development/STIG testing/entropy supplement, etc.

4. Development costs for product modifications

5. Laboratory fees

6. Government fees

7. Testing-related travel expenses

8. Cost to distribute product to consultants and testing laboratories

Some of these costs will be “fixed price,” while others are not. Understanding how to assess these accurately is crucial to keeping “cost creep” under control. Properly scoped, this budget can be manageable and predictable. Focusing your budget on only one area of expenses, or failing to properly identify the scope your project, can result in a budget that continually expands throughout your certification effort.

For help getting started with yours, contact Corsec.

The post Budgeting for Certifications: Avoid Cost Creep appeared first on Corsec Security, Inc.®.