CMVP Archives Additional FIPS Validations

On January 1, 2018, the CMVP carried out the archiving of specific FIPS modules to their Historical validations list as seen below:

“per the transition schedule published in SP 800-131Arev1, symmetric key-based key wrapping that is not compliant to SP 800-38F is no longer allowed. Accordingly, modules on the Active List were moved to the Historical List if they employed the previously non-compliant but allowed key wrapping. This is the same procedure that was followed for the non-SP-800-90A RNG transition.”

What does it mean to be added to the Historical List?

When your listing is moved, the CMVP states that the cryptographic module should not be included by Federal Agencies in new procurements. They go on to say that Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used, but they cannot provide accurate and up-to-date guidance on how to securely use these modules. It is up to the vendor to update the Security Policy so that the users can continue to operate modules in a secure manner.

What Does This Mean For My Listing?

First, check to see if your listing was one of the modules added to the Historical list here.

  • If you were one of the unlucky ones to have been moved, and the module supports approved key wrapping, then you will only need to update the documentation accordingly, and the certificate will be moved back to the Active List.
  • If you were moved and the module still supports non-SP-800-38F-compliant key wrapping, you will need to:
    • Update the Security Policy to make it absolutely clear what services are affected
    • Update the Security Policy accordingly, and appropriate testing should be performed

*Note: For Security Level 3 and 4 modules, if they can no longer meet the FIPS 140-2 Section 1 FIPS mode indicator requirement, they must be dropped to level 2 or below in that section, as appropriate (which may cause the overall level to drop).

What Do I Do Now?

The CMVP is allowing 1SUBs to be submitted on modules affected by the transition until July 1, 2018. Any new submissions (January 1, 2018 or later) must comply with the SP 800-131Ar1 transition for SP 800-38F.

If you are unsure as to the status of your validation, how this guidance affects your historical listing, or need assistance getting back to the Active List, Contact Corsec’s team and receive information on a path that will get you back on track and selling to the Federal government.

You can always check us out on Social Media or Subscribe to our emails to get recent updates on certifications, industry news, and changes to the Federal landscape.