During the recent Cryptographic Module User Forum (CMUF) meeting, CMVP, which oversees FIPS 140-2 validations in the United States and Canada, announced updates and changes to policy for stagnant modules, the historical list, and documentation definitions for maintenance. These changes will impact a number of modules, and could delay, or even stop your validation if not properly addressed. In some cases, the validation process will need to be restarted, resulting in additional fees and devastating re-work.
Stagnant Modules:
- IUTB – The new implementation guidance addresses when the official review begins based upon receipt of the report and payment submission.
- IUTB Removal – Modules on the IUTB for longer than 90 days with no report will be put On Hold and removed from the list.
- IUTB Re-Listing – Once the invoice is paid AND the report is received, the module will be placed back on the list.
- IUT – Modules will automatically be dropped after sitting on the list for 18 months, aside from modules that are a result of a stagnant IUTB
- MIP List – Modules sent to the lab with no comments file from the lab after 120 days will be put On Hold and removed from the MIP list.
- Effective July 1, 2017, that 120 period will be reduced to 90 days.
- MIP Re-Listing – When the lab sends the comments file back, the module is retuned to its place in the queue and will be added back to the MIP list.
- Validations – Effective January 1, 2018, all submissions must be completed within 2 years of the report submission date or the UTB request date (whichever occurred first). After 2 years, the module will be dropped. The process will then need to start over again, including payment of fees. This will affect all new and current submissions.
The Historical List:
- Effective February 1, 2017, all modules that were not validated or revalidated within the past 5 years were dropped (575 certs).
- These certifications ARE NOT TO BE USED FOR PROCUREMENT BY FEDERAL AGENCIES. If your module was removed, your customers could discontinue use of your product and cease all future purchases.
- Re-Listing – 1SUBs will be allowed for administrative updates where the module is unchanged and 3SUBs will be required for up to 2 years after the certificate’s sunset date.
2SUB Definition:
- Effective May 2017, a 2SUBs will be allowed for extending the certificate’s sunset date, if, the Module has not changed, the module meets all of the latest standards, implementation guidance, and algorithm testing at time of submission, and finally, if the module has not yet been sunset.
Please Contact Corsec if you have any questions, concerns, or need to augment your current validation.
Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe
Corsec Social Media
