The Cryptographic Module Validation Program (CMVP) is a part of the National Institute of Standards and Technology (NIST) which operates under the Department of Commerce.  The CMVP’s role is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules, this primarily occurs through management and oversight of the testing required as part of the FIPS 140-2 / FIPS 140-3 validation standards.

The CMVP is currently experiencing longer than usual evaluation periods within the FIPS 140 programs. To rectify and hopefully assist in shortening those wait times, the CMVP is looking to automate processes and procedures related to the evaluation and testing of these cryptographic modules.

To support this newly identified objective, the CMVP has developed a draft document which outlines assumptions, challenges, current architectures, requirements, and guidance.  The ultimate goal is to identify ideas and recommendations on how to automate some of the more tedious and manual elements of the FIPS 140 evaluation process.  Specifically stating they hope to improve efficiencies and timelines within CMVP operations.

Some of the current challenges outlined include:

• An increase in complex modules being evaluated
• A lack of human resources to address the influx in evaluations
• Insufficient information/documentation submissions
• Operating Environment Updates

This is not the first time the CMVP has turned to automation, as they recently implemented a change to the methods for testing algorithms within the Cryptographic Algorithm Validation Program (CAVP). Read more about that transition here.

Although the effects of such an effort are not expected to make an impact in the near term, it is a positive sign that the CMVP is actively trying to improve things in the long run.

###

In response to the COVID-19 pandemic around the globe, Corsec staff have transitioned to a telework policy to ensure the health and wellbeing of our staff, their family, and the community.

We feel fortunate to announce that during this difficult time all Corsec business operations will continue as scheduled and without interruption. Corsec staff have been successfully meeting with customers, FIPS 140-2 and Common Criteria laboratories, and our partners via video conferencing over the last month and have uniformly gotten the response that everyone is committed to keeping projects on schedule.

Corsec will continue to monitor the crisis as we move through April and into May; following guidance and information from our government and healthcare professionals.

Impact on Security Certification Programs & Resources

Government security certification activities for FIPS 140-2, Common Criteria, and the DoDIN APL continue to operate during the COVID-19 crisis. Many governments and private laboratories have transitioned to teleworking for the foreseeable future. For additional information on how these programs may be impacted or if you have specific questions on your project, Contact Corsec.

Recent News:

• NIAP has announced operations will resume:
  “Effective 18 May 2020, the NIAP office will resume operations. Thank you for your patience and understanding as this occurs.”
• DISA announced:
  “The APL will continue to be updated daily and the APCO will continue to operate. The Distributed Labs that conduct APL testing will continue to process ongoing testing adjudications as they are able.”
• NIST has announced that operations will continue but access to the Boulder, CO and Gaithersburg, MD offices is limited to mission critical staff only

Additional Resources:
NIST Guidance on Teleworking
Stay Up To Date on Changes
Certification Resources

Message From Matthew Appler, Corsec CEO

During these difficult and challenging times Corsec wants to thank our heroes on the front line fighting against COVID-19 around the globe. Our thoughts are with all those affected.

As we all adjust to new challenges, we would like to thank our customers, laboratory partners, and certification bodies that have adapted so quickly to ensure continued support and service. Corsec remains committed to providing support to our customers and the community during this crisis.

From everyone at the Corsec family, please stay safe and healthy, together we will overcome these difficult times and emerge stronger.

Corsec would like to congratulate our partner, Forcepoint, on completing the DoDIN APL process for their Next Generation Firewall (NGFW) Engine. Forcepoint partnered with Corsec to achieve this milestone and over the past year the teams worked to harden the product against security requirements for STIG testing, CAC compliance, IPv6, and Information Assurance and Interoperability testing. Forcepoint met the DoD APL’s product security requirements and was awarded the listing under the Data Firewall (DFW) product type.

“Completion of the DoD’s APL listing process is a testament to Forcepoint’s commitment to supporting the DoD and enhancing the security of its network” said Jake Nelson, Director of Marketing at Corsec. For more information on the listing visit the DISA Approved Products List. For more information on engineering your product to meet Federal and regulated industry security requirements, speak directly to a Corsec engineer.

About The DoDIN APL

The DoDIN APL represents the agency’s master list of secure, trusted, and approved technology infrastructure products. The DoDIN APL was developed in an effort to maintain a single consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. Getting a product included on this coveted list involves a rigorous 39-step process overseen by the Approved Products Certification Office (APCO). This laborious and often confusing process involves the submission of a series of properly completed forms and product documentation, attainment of prerequisite validations and certifications such as FIPS 140-2, Common Criteria, and adherence to strict scheduling guidelines and interdependencies.

About Forcepoint & the NGFW

Forcepoint is the human-centric cybersecurity company that understands behavior and adapts security response and enforcement to risk. The Forcepoint Next Generation Firewall (NGFW) appliances are high-performance network security appliances that add a broad range of built-in security features, including VPN2, IPS3, anti-evasion, TLS inspection, SD-WAN4, and mission-critical application proxies, to a traditional firewall and provides end-to-end protection across the entire enterprise network.

For further information, please visit www.forcepoint.com

Press Contact: