Certification Process Archives - Corsec Security, Inc.®

Further Automation Within The CMVP

Jake Nelson — Thu, 29 Apr 2021 15:03:39 +0000

The Cryptographic Module Validation Program (CMVP) is a part of the National Institute of Standards and Technology (NIST) which operates under the Department of Commerce. The CMVP’s role is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules, this primarily occurs through management and oversight of the testing required as part of the FIPS 140-2 / FIPS 140-3 validation standards.

The CMVP is currently experiencing longer than usual evaluation periods within the FIPS 140 programs. To rectify and hopefully assist in shortening those wait times, the CMVP is looking to automate processes and procedures related to the evaluation and testing of these cryptographic modules.

To support this newly identified objective, the CMVP has developed a draft document which outlines assumptions, challenges, current architectures, requirements, and guidance. The ultimate goal is to identify ideas and recommendations on how to automate some of the more tedious and manual elements of the FIPS 140 evaluation process. Specifically stating they hope to improve efficiencies and timelines within CMVP operations.

Some of the current challenges outlined include:

An increase in complex modules being evaluated
A lack of human resources to address the influx in evaluations
Insufficient information/documentation submissions
Operating Environment Updates

This is not the first time the CMVP has turned to automation, as they recently implemented a change to the methods for testing algorithms within the Cryptographic Algorithm Validation Program (CAVP). Read more about that transition here.

Although the effects of such an effort are not expected to make an impact in the near term, it is a positive sign that the CMVP is actively trying to improve things in the long run.

Need Support?

Contact Corsec to ask questions, discuss a project, or gain more insight on this post.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FED ROUNDUP: JULY 2019

Jake Nelson — Wed, 31 Jul 2019 18:07:31 +0000

DISA News

NIST News

Announcements:

None

Releases & Special Publications:

NIAP News

Updates:

None

Protection Profile Posting:

Peripheral Sharing Device (PSD) Protection Profile (PP), Version 4.0 and its five associated PP-Modules:
1.) PP-Module for Audio Input Devices, Version 1.0
2.) PP-Module for Analog Audio Output Devices, Version 1.0
3.) PP-Module for Keyboard/Mouse Devices, Version 1.0
4.) PP-Module for User Authentication Devices, Version 1.0
5.) PP-Module for Video/Display Devices, Version 1.0

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FED ROUNDUP: JUNE 2019

Jake Nelson — Fri, 28 Jun 2019 13:11:36 +0000

DISA’s June News

DITCO, DISA’s contracting arm, reduces its enterprise acquisition services fee

NIST’s June News

Announcements:

NIST announces Open Security Controls Assessment Language (OSCAL), Version 1.0.0 – Milestone 1 has been released

Releases & Special Publications:

NIAP’s June News

Updates:

None

Protection Profile Posting:

None

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FIPS 140-3 APPROVED

Jake Nelson — Wed, 01 May 2019 15:52:00 +0000

A Federal Register Notice has been issued for the “Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules”.

Having now been signed by the U.S. Commerce Secretary, it is official, FIPS 140-3 has been approved!

“This notice announces the Secretary of Commerce’s issuance of Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules. FIPS 140-3 includes references to two existing international standards: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules, and ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules. As permitted by those standards, NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.”

Key Dates:

Companies actively working on or planning a FIPS validation will inevitably face decisions around which standard to work towards. The following dates will be critical for those projects:

Draft For Comments: Complete
Effective Date: Complete
Publication of the Standard: Complete
Supporting Documents for FIPS 140-2 & the CMVP Released: Complete
New Testing Begins: 9/22/20
140-3 Mandated & The Last Day for 140-2 Submissions: 9/22/21 (This means Labs must submit their Lab reports to CMVP by this date)

Documentation:

CMVP wants to minimize the content in the series of NIST SP 800-140 documents because they hope to be as close to the international standard as possible. These are the documents that we believe will replace the existing FIPS 140-2 DTR, Appendices, and Annexes:

NIST SP 800-140 – FIPS 140-3 Derived Test Requirements
NIST SP 800-140A – CMVP Documentation Requirements
NIST SP 800-140B – CMVP Security Policy Requirements
NIST SP 800-140C – CMVP Approved Security Functions
NIST SP 800-140D – CMVP Approved Sensitive Security Parameter Generation and Establishment Methods
NIST SP 800-140E – CMVP Approved Authentication Mechanisms
NIST SP 800-140F – CMVP Approved Non-Invasive Attack Mitigation Test Metrics

A notable omission from the new SP 800-140 series is any reference document for Approved Protection Profiles from Common Criteria (a CC-certified operating system was required for software validations at level 2 and above).

Early Review and Analysis:

This release has been a long time coming. We still expect additional updates and changes to come, but Corsec has reviewed the public documents and found the following areas to be of interest:

Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017
This version of FIPS 140-3 retains the 4 levels of validation
The sections in FIPS 140-3 are now as follows:
1. Cryptographic Module Specification
2. Cryptographic Module Interfaces
3. Roles, Services, And Authentication
4. Software/Firmware Security
5. Operating Environment
6. Physical Security
7. Non-Invasive Security
8. Sensitive Security Parameter Management*
9. Self-Tests
10. Life-Cycle Assurance
11. Mitigation of Other Attacks

*Sensitive Security Parameters is a new category – SSPs include both CSPs and PSPs (Public Security Parameters)

**Finite State Model was removed but may have been absorbed into section 11

***EMI/EMC was removed. There was no mention of EMI/EMC in the draft ISO 24759 either

Moving Forward:

Get Ahead: Be the first to complete the new standard (FIPS 140-3)
Revalidate Early: Avoid the new requirements prior to the mandated transition date and add 5 years to your current FIPS 140-2 validation
Plan Accordingly – Products being evaluated against FIPS 140-2 during testing transition may face problems completing their certification under old requirements.

Corsec participates in numerous committees, technical working groups, certification leadership positions, and industry events. As more information develops, we will deliver updates. Stay informed on all the program details, requirements, and timelines associated with FIPS 140-3 – Subscribe

For more information on the current FIPS 140-2 program, requirements, and process – visit here.

For any questions on how this will affect current or future FIPS projects, contact Corsec!

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Security Certification Maintenance

Jake Nelson — Wed, 07 Dec 2016 20:16:07 +0000

As you release new versions of previously certified and validated products, it is crucial that you develop a security certification maintenance plan to keep up with the evolution of your technology. Corsec’s Maintenance and Compliance Service helps you determine whether a full re-evaluation is necessary, or if you can pursue other measures to continue generating revenue from your initial certification or validation.

Security Certification Maintenance:

Each security certification has its own unique requirements for maintenance and renewal. Corsec’s engineering team helps you understand the specific actions you will need to take for each of their products and certifications.

FIPS 140-2
The FIPS 140-2 validation process lists five change scenarios that are used to determine if a product requires revalidation, or if documentation alone can address the changes at issue. Corsec will help determine which scenario mostly closely aligns to the latest version of your product.

Common Criteria
Common Criteria determines re-evaluation through a process called Assurance Continuity (AC). If major changes have occurred in the security environment, evidence needs to be submitted to a laboratory and the product needs to be re-evaluated. If minor changes have occurred, a vendor can perform “Assurance Maintenance,” a report that is attached as an addendum to the original product certification, as long as it is within two years of the initial issuance date.

DoDIN APL
In order to maintain a listing on the DoDIN APL, you must complete a Desktop Review (DR) for each major product version. In such a review, a high-level assessment determines whether the product listing will simply be updated with the new version identifier, whether minimal testing must be performed on the new version prior to receiving an updated listing, or whether the product must undergo a new evaluation in its entirety.

Keep Products Market-Ready

Corsec helps ensure that our partners continue to benefit from the efforts they put in initially to get their products certified or validated. If you have questions on the requirements around your products’ recertification or revalidation, we can help determine the best path forward with little to no disruption of your revenue stream.

Common Criteria Schemes: Tips for Making the Right Choice

Jake Nelson — Thu, 29 Aug 2013 13:25:37 +0000

So many decisions, so little time. You’ve heard—and likely experienced—this mantra. And if you read this blog regularly, you’ve probably picked up on the fact that security validations involve making a whole host of decisions. When pursuing Common Criteria certification, one often perplexing, yet critical decision I hear people lament about is how to choose the best scheme for your product or system.

As you start out on the path to Common Criteria certification, the decisions that factor into your journey affect not only how long it takes to achieve certified status but also how much it costs—and how many times you reach for an aspirin throughout the process.

So let’s start first with the basics to get us all on the same page. Why Common Criteria? First and foremost, national government agencies are required to purchase security products that have obtained Common Criteria certification, if and when they exist. Second, we need to define the meaning of a certification scheme. Put simply, it’s an official government entity charged with ensuring the security of all government and military acquisitions. And in terms of Common Criteria, the scheme is responsible for making sure that all commercial off-the-shelf (COTS) products evaluated in that particular country have been evaluated consistently and independently according to Common Criteria requirements. Testing labs perform the actual product evaluations, and must be certified through a scheme. The scheme oversees and performs accreditations of testing labs, and is responsible for the issuance of certificates in that country.

Sixteen recognized government schemes for Common Criteria exist in the world today and include the following countries: the United States, Canada, Australia, France, Germany, Italy, Japan, Malaysia, Netherlands, New Zealand, Norway, the Republic of Korea, Spain, Sweden, Turkey, and the United Kingdom.

It stands to reason that if you’re a security product vendor in the United States, you would opt for the U.S. scheme. And if you’re a company in the United Kingdom, you’d go with the UK scheme. It’s important to realize, however, that choosing a scheme outside your home country sometimes makes the most sense. So let’s take a closer look at the variables you need to consider.

Important Considerations

Inclusion in NIAP PCL
If you are looking to be included in the National Information Assurance Product Compliant List (NIAP PCL) in the United States, then work with the U.S., Canadian, UK, or Australian scheme. These schemes have the most experience with the criteria it takes to gain NIAP PCL approval. However, keep in mind that if an evaluation is done outside of the U.S., NIAP imposes partial technical oversight for a portion of the evaluation.

And keep in mind that while NIAP states that you must use NIAP-approved PPs in order to be placed on the PCL, there are not PPs for all products so you are not actually required to conform to a PP. At some point this will, however, likely become a requirement.

Before you make a decision about the NIAP PCL and an associated PP, make sure you know the facts. And if you’re working with an outside consultant on your Common Criteria certification, talk to them about PCL.

Protection Profiles
Does your product conform to a protection profile (PP) for a particular country? All schemes can handle PPs, but the U.S. and Canadian schemes have the most experience with U.S.-approved PPs. In the case of PPs released by other countries, the scheme in the country that publishes a particular PP typically has the most experience.

Evaluation Assurance Levels
If you require an assurance level higher than EAL2, either for competitive reasons or because the agency that wants to acquire your product has dictated a higher level, then consider a scheme in Spain, Sweden, or Germany. The U.S., Canada, Australia, New Zealand and UK do not handle anything higher than EAL2.

Agency preference
If you’re working with an agency that requires or prefers evaluations to be performed in the same country, then start there—in that country.

CAPS certification
CAPS (CESG Assisted Products Service) is a certification exclusive to the UK government market, so if you also require CAPS certification, you must also use the UK scheme for your Common Criteria certification.

Assurance Continuity
Assurance Continuity, a reevaluation that takes place after changes to a certified Target of Evaluation or its environment, must be performed through the scheme that originally certified the product for Common Criteria. This makes the scheme you choose even more important because you’re establishing an on-going relationship.

Your Customer Base
Most schemes require that you prove that you have customers in their country. Canada, for instance, requires a letter from a Canadian customer as proof, while other countries may just ask for a statement from your company. Keep this in mind when taking schemes into consideration.

When you consider not only the time and cost involved but also the reason you want to pursue certification in the first place, Common Criteria is an important undertaking that can affect your revenue substantially. The decision you make regarding the scheme you select will no doubt impact next year’s bottom line.

For help sifting through the options and choosing the right Common Criteria scheme for your objectives and product, contact us today.

Why You Need Common Criteria Certification and How to Get There

Jake Nelson — Thu, 20 Jun 2013 14:38:53 +0000

In the IT security industry, research and development teams continually race to introduce new products, while at the same time, project teams improve upon existing offerings—all scrambling to ensure that the latest versions meet security functional and assurance requirements. The goal is to bring the strongest and most secure products to market.

If you’re in the business of producing IT security products, you should know that attaining Common Criteria certification is critical to your business for some very good reasons, for example:

It opens the door to the government market. All IT security products purchased by the U.S. government for national security systems are required to have Common Criteria certification. Many government agencies, especially the DoD, write Common Criteria certification into their RFPs.

Certification helps you stay competitive. You must have Common Criteria certification if you want to compete against established players who have already been evaluated. This is true not only when selling into the government sector, but also for commercial clients like banks and financial institutions.

Common Criteria helps you improve on the security of your product. Think of the Common Criteria evaluation as the litmus test of your team’s success in developing the product’s security against the appropriate Protection Profile. The Common Criteria certification process may uncover hidden vulnerabilities before you go to market, saving you from having to make costly corrections in the field.

The road to Common Criteria success

When you’re ready to pursue certification, an IT security consultant can make the entire process easier and more cost effective. Make sure your partner has a process that they can describe in detail to guide you through certification to ensure that everything goes smoothly—setbacks can cost not only time but also money. Adhering to this plan can help you ramp up and get underway quickly, and will ensure that you stick to your budget and shorten your evaluation time. Corsec’s process includes these steps:

Begin with an education about the Common Criteria process and an understanding of the sequence of events so that you can schedule time and resources accordingly. Corsec provides customers with a custom compliance report including a blueprint for successful certification—make sure that your partner offers documentation that gives you an understanding of what the process will entail and cost before you actually get started.

With a certification plan in place, you’ll then determine which Protection Profiles you will be validated against, so you can make certain your product meets the requirements specified in the appropriate Protection Profile or Profiles.

Preparation of documentation is a big part of certification. First, you’ll develop a Security Target that provides information about how your product or system meets requirements. A Security Target contains a statement of the requirements to which a specific product or system under evaluation must conform, written to be implementation dependent. A Security Target can be authored to conform to a specific Protection Profile or it can simply state the security functional requirements that your product offers and the assurance levels for the evaluation.

Once that’s done, your team must produce all assurance documentation necessary for submission to the testing lab. It is vital that you have clear, complete documentation, as this is one area where many Common Criteria certifications grind to a halt. Having someone on your team who’s experienced in this type of documentation prep will save you time and costly delays.

The next step is to submit your product and associated documentation to an accredited testing laboratory. The choice you make regarding the lab you’ll work with is really important because different testing labs have different experience levels with particular standards and schemes, different styles of communicating with customers, and different pricing models. Your consulting partner’s relationships will be critical here. Assuming you’ve chosen a good partner to work with, the last step in the process should be “receive certification!”

While Common Criteria certification isn’t a simple process, it’s much easier with an experienced consultant to guide you. Corsec has completed hundreds of certifications for clients. Find out how we can help you.