As you know, the U.S. federal government officially shut down many of its operations. This shutdown directly affects NIST and, as a result, impacts its FIPS validation activities. We are sending you this e-mail to let you know what resources Corsec has available and how this situation will impact your validation efforts.
As a result of the furlough, NIST’s affiliated websites are no longer available. This means that, for the duration of the shutdown, there will be no access to the various publications, links, and other resources that NIST offers online. However, Corsec maintains a collection of many of the publications found on NIST’s website (in particular, those publications and specifications associated with the CMVP and CAVP validation programs). If you are in need of a NIST or FIPS publication, please give Corsec a call, and we’ll do our best to provide you with the document you’re looking for!
CMVP director Randy Easter has issued the following in an e-mail:
“Based on the legal opinions issued by the Attorney General and the Office of Legal Counsel of the Department of Justice, all NIST CMVP employees are furloughed until this is resolved (this is in addition to most NIST employees) and the offices will be closed. All NIST CMVP activities will cease: this includes all email and other forms of electronic communication (the use of government equipment such as computers, BlackBerrys, etc. is prohibited).
While CSEC CMVP will continue operations, no validations will be completed without a NIST signatory. Please contact CSEC CMVP if you have any questions regarding FIPS 140-2, Implementation Guidance, report review, NVLAP audits, etc. during this time.)
If your module has not yet been submitted to a lab, the near-term impacts to your validation effort may be neither immediate nor direct. However, you may feel the effects later due to the cumulative impacts of the following:
· Employees of the CAVP (the algorithm validation program) are also currently furloughed under the same conditions as CMVP, and will not be accepting algorithm test reports or issuing algorithm certificates during the shutdown.
· While labs can continue their testing activities, CMVP will not be accepting new submissions for validation during the shutdown, nor will they be evaluating any current submissions.
· Because CMVP will not be reviewing modules, the queue will not show any improvement during the shutdown, and could actually become worse.
If your module is currently in BLOCK 1, you could be impacted if the testing lab requires input from the CMVP during its evaluation activities. The Canadian portion of the CMVP is not affected by the U.S. government shutdown and is available to answer questions and provide guidance. The U.S. portion of the CMVP is furloughed, and will not respond to e-mail. Testing laboratories are for-profit, independent companies that are not directly affected by the shutdown.
As these potentially affected activities are likely still weeks or months away for you, we certainly hold out hope that the government will be fully functional in time enough to minimize the impacts.
If your module is currently in BLOCK 2, this means that it will remain untouched in the CMVP queue while the shutdown is in effect. Since NIST employees are furloughed, there will be no NIST evaluators available to perform module reviews during the shutdown, and there will be no way to affect any movement in the queue. While no position will be lost, this delay will add to an already-lengthy wait (an estimated eight months pre-furlough).
If your module is currently in BLOCK 3, this means that no NIST evaluators will be available to continue or complete the module review during the shutdown. Your test lab will not be receiving any questions or comments to address, and the module’s validation status will remain unchanged until the furlough is resolved.
If your module is currently in BLOCK 4, this means that, while issues already raised by CMVP can be addressed and responded to, there will be no NIST evaluators available to review responses or complete the module evaluation.
Corsec will continue to monitor this unfortunate and untimely situation, and will notify you of any updates in status as they become available. If you have any questions, please feel free to contact us.