In an effort to improve the United States’ ability to identify, deter, protect against, detect, and respond to malicious actors and attacks, the President of the U.S. has issued a new Executive Order (EO) to ensure all Federal Information Systems react to meet or exceed the standards and requirements outlined for cybersecurity. To accomplish this, the EO identifies the private sector as a major contributor to helping secure the Nation’s cyberspace.

As outlined in the EO, the scope of protection and security will include 1.) Systems that process data (information technology (IT)) and 2.) those that run the vital machinery that ensures our safety (operational technology (OT)).

The President has stated “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. ”

Corsec has outlined high level details associated with the order that could impact future policy, requirements, and operations within the U.S. federal government:

Section 2: Removing Barriers to Sharing Threat Information

• Develop a plan to allow further sharing of insights into cyber threat and incident information from Federal Information Systems by removing service provider contractual barriers – A review of the FAR and DFAR contractual language shall be completed within 60 Days
• Require information and communication technology (ICT) service providers to promptly report cyber incidents to the government – The government shall recommend such language for contacts with ICT service providers within 45 Days. Within 90 Days, procedures for sharing such reports will be agreed upon.

Section 3: Modernizing Federal Government Cybersecurity

• An overview of the steps and solutions needed to help prevent modern and sophisticated attacks on the U.S. federal government; including, Zero Trust Architecture, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) solutions – The Government shall create a plan to utilize these technologies within 60 Days while creating a cloud-services governance Framework. Within 90 days the Government shall create a report on the sensitivity of their data with respect to unclassified information. Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit.

Section 4: Enhancing Software Supply Chain Security

• The Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software – Within 90 Days the Government will implement best practices and other policy standards to improve the software supply chain.  Such guidance will include, among other criteria, “employing encryption for data”, and “establishing multi-factor, risk-based authentication and conditional access across the enterprise”.  Within 1 year the Government will produce language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to this section (this will apply to renewals of contracts as well).

Section 5: Establishing a Cyber Safety Review Board

• The Board shall review and assess, with respect to significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.

Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

• Align agency cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting systems – the Government shall develop a set of operational procedures (a playbook) for government wide use within 120 Days. Part of this will be to “incorporate all appropriate NIST standards”

Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

• Increase the effort to increase detection of cybersecurity vulnerabilities and threats to agency networks and gain visibility into incidents through deployment of an Endpoint Detection and Response (EDR) initiative – Within 90 Days the Government will issue requirements for such a system. Among other requirements, “ensure alignment between Department of Defense Information Network (DODIN) directives and FCEB Information Systems directives”

Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities

• Agencies and their IT service providers shall improve collection of information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) and, when necessary to address a cyber incident on FCEB Information Systems. “Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention” – Within 90 Days, agencies must establish requirements for logging, log retention, and log management.

Section 9: National Security Systems

• Within 60 Days, the Government “shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements shall be codified in a National Security Memorandum (NSM).”

###

The Cryptographic Module Validation Program (CMVP) is a part of the National Institute of Standards and Technology (NIST) which operates under the Department of Commerce.  The CMVP’s role is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules, this primarily occurs through management and oversight of the testing required as part of the FIPS 140-2 / FIPS 140-3 validation standards.

The CMVP is currently experiencing longer than usual evaluation periods within the FIPS 140 programs. To rectify and hopefully assist in shortening those wait times, the CMVP is looking to automate processes and procedures related to the evaluation and testing of these cryptographic modules.

To support this newly identified objective, the CMVP has developed a draft document which outlines assumptions, challenges, current architectures, requirements, and guidance.  The ultimate goal is to identify ideas and recommendations on how to automate some of the more tedious and manual elements of the FIPS 140 evaluation process.  Specifically stating they hope to improve efficiencies and timelines within CMVP operations.

Some of the current challenges outlined include:

• An increase in complex modules being evaluated
• A lack of human resources to address the influx in evaluations
• Insufficient information/documentation submissions
• Operating Environment Updates

This is not the first time the CMVP has turned to automation, as they recently implemented a change to the methods for testing algorithms within the Cryptographic Algorithm Validation Program (CAVP). Read more about that transition here.

Although the effects of such an effort are not expected to make an impact in the near term, it is a positive sign that the CMVP is actively trying to improve things in the long run.

###

Press Contact:

Press Contact:

Recent Implementation Guidance (IG) from NIST could impact vendor algorithms. The following overview has been created to summarize those critical dates and associated algorithms.

AES CBC-CS1, CBC-CS2, CBC-CS3 (IG A.12)

• Until Sep. 1, 2020, implementations that claim vendor affirmation to NIST SP 800-38A Addendum A will be accepted for submission.
• After Sep. 1, 2020, only implementations that are CAVP-tested for compliance toNIST SP 800-38A Addendum A will be accepted for submission.

SHAKE and KECCAK-based hash algorithms (IG A.15)

• Until Sep. 1, 2020, implementations that claim vendor affirmation to NIST SP 800-185 will be accepted for submission.
• After Sep. 1, 2020, only implementations that are CAVP-tested for compliance toNIST SP 800-185 will be accepted for submission.

PBKDF (IG D.6)

• Until Dec. 31, 2020, implementations that claim vendor affirmation to NIST SP 800-132 will be accepted for submission.
• After Dec. 31, 2020, only implementations that are CAVP-tested for compliance to NIST SP 800-132 will be accepted for submission.

Key agreement schemes (IG G.20, IG D.1-rev2, IG D.1-rev3, and IG D.8)

• New submissions (3SUB, 5SUB) with previous NIST SP 800-56A-based acceptance scenarios will no longer be accepted after Dec. 31, 2020. These scenarios include, for example, allowances for leveraging a shared secret CVL and a KDF CVL to claim a compliant KAS.
• Implementations under the previous NIST SP 800-56A-based acceptance scenarios will no longer be acceptable for use in FIPS mode after Dec. 31, 2021.
  • CVL certificates used to claim compliance for key agreement schemes will become obsolete after Dec. 21, 2021.
  • New submissions with these CVL certificates will not be accepted after Dec. 21, 2021.
  • Modules with claims of compliance to NIST SP 800-56A or NIST SP 800-56Arev2 will be moved to the Historical List effective Jan 1, 2022.

• Until Dec. 31, 2020, implementations that claim vendor affirmation to NIST SP 800-56Arev3 will be accepted for submission.
• After Dec. 31, 2020, only implementations that are CAVP-tested for compliance toNIST SP 800-56Arev3 will be accepted for submission.

Key transport schemes (IG D.9)

• RSA-based implementations that claim compliance to NIST SP 800-56Brev3 will require CAVP testing after Dec. 31, 2020.
• New submissions (3SUB, 5SUB) with RSA-based implementations that are vendor-affirmed to NIST SP 800-56B will no longer be accepted after Dec. 31, 2020.
• RSA-based implementations that are vendor-affirmed to NIST SP 800-56B will be disallowed after Dec. 31, 2023.
• Non-compliant implementations of RSA key wrap will be allowed until Dec. 31, 2023.
• New submissions (3SUB, 5SUB) with non-compliant implementations of RSA key wrap will no longer be accepted after Dec. 21, 2020.

Key derivations schemes (IG D.10)

• Vendors may continue to claim vendor affirmation to NIST SP 800-56Crev1 thru Dec. 31, 2020.
• Implementations that claim compliance to NIST SP 800-56Crev1 will require CAVP testing after Dec. 31, 2020.

Need Support?

Contact Corsec to discuss your resolution path and determine if you need to take action for your validation.

In response to the COVID-19 pandemic around the globe, Corsec staff have transitioned to a telework policy to ensure the health and wellbeing of our staff, their family, and the community.

We feel fortunate to announce that during this difficult time all Corsec business operations will continue as scheduled and without interruption. Corsec staff have been successfully meeting with customers, FIPS 140-2 and Common Criteria laboratories, and our partners via video conferencing over the last month and have uniformly gotten the response that everyone is committed to keeping projects on schedule.

Corsec will continue to monitor the crisis as we move through April and into May; following guidance and information from our government and healthcare professionals.

Impact on Security Certification Programs & Resources

Government security certification activities for FIPS 140-2, Common Criteria, and the DoDIN APL continue to operate during the COVID-19 crisis. Many governments and private laboratories have transitioned to teleworking for the foreseeable future. For additional information on how these programs may be impacted or if you have specific questions on your project, Contact Corsec.

Recent News:

• NIAP has announced operations will resume:
  “Effective 18 May 2020, the NIAP office will resume operations. Thank you for your patience and understanding as this occurs.”
• DISA announced:
  “The APL will continue to be updated daily and the APCO will continue to operate. The Distributed Labs that conduct APL testing will continue to process ongoing testing adjudications as they are able.”
• NIST has announced that operations will continue but access to the Boulder, CO and Gaithersburg, MD offices is limited to mission critical staff only

Additional Resources:
NIST Guidance on Teleworking
Stay Up To Date on Changes
Certification Resources

Message From Matthew Appler, Corsec CEO

During these difficult and challenging times Corsec wants to thank our heroes on the front line fighting against COVID-19 around the globe. Our thoughts are with all those affected.

As we all adjust to new challenges, we would like to thank our customers, laboratory partners, and certification bodies that have adapted so quickly to ensure continued support and service. Corsec remains committed to providing support to our customers and the community during this crisis.

From everyone at the Corsec family, please stay safe and healthy, together we will overcome these difficult times and emerge stronger.

Press Contact: