CMVP has new guidelines which went live last month via the release of Implementation Guidance (G.16). This update will affect product vendors that have not taken proper precautions with project management related to their FIPS 140-2 validations.
During validation, an accredited Lab can submit a request form (called an IUTA) for a product to be listed on the modules In Process list. Any time after the IUTA, a lab can submit an IUTB form that requests CMVP to invoice the lab for the cost recovery fee. If the CMVP does not receive the final test report from the lab within 90 days of confirming the IUTB acceptance, the module will be removed from the Modules In Process list.
It is imperative that the labs you are working with are aware of this, as your product may no longer be listed as In Process, and therefore, you will no longer be able to use your status to sell within the Federal space. Program and project management is a critical component to successfully completing security certifications – Corsec’s proven methodology and project management approach ensures that your product completes every phase of the certification process, and that your goals and timelines are met.
Lack of preparedness and knowledge of the requirements could cost your project dearly. Require stringent project management on all of your certification efforts, and demand proof of policies and procedures from either your team internally or outside partners assisting you on your project.
Learn more about Corsec’s project management and our guaranteed approach.