Press Contact:

The National Institute of Standards and Technology (NIST) has announced that the Cryptographic Module Validation Program (CMVP) and the Cryptographic Algorithm Validation Program (CAVP) will soon be transitioning to an automated process for algorithm testing.

NIST’s announcement states that use of the current Cryptographic Algorithm Validation System (CAVS) and issuance of algorithm validations from that system will end at midnight on 6/30/20. Replacing the manual process is the new and updated Automated Cryptographic Validation Test System (ACVTS).

ACVTS testing has begun but is not yet mandatory unless the implementation has an Approved algorithm that the ACVTS Prod server supports and that CAVS does not support, with two clarifications:

1. If a CAVS submission would require special processing, e.g., a request from the vendor/lab that failing test results be ignored because the implementation under test does not support certain input parameter lengths, but the ACVTS handles the case natively, ACVTS must be used.
2. If a FIPS 140-2 IG indicates that vendor affirmation is applicable for a particular Approved algorithm (and the IG transition end date has not passed), the vendor may choose either to test using ACVTS or vendor affirm.

Notes:

• CAVS testing will remain free until it is retired
• ACVTS will be free up until the CAVS retirement date

Key Dates:

• 1/20/20: CAVS submissions will only be accepted from a NVLAP-accredited CTS Lab that has obtained ACVTS credentials
• 6/30/20: Last day to submit CAVS test results
• 7/1/20: ACVTS is the only path for obtaining algorithm validations

About Algorithm Testing and FIPS 140-2

FIPS 140-2 is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2. Product vendors are required to complete validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components.

FIPS 140-2 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency. FIPS is mandated by law in the U.S. and very strictly enforced in Canada, it is also currently being reviewed by ISO to become an international standard. FIPS 140-2 is gaining worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. A FIPS 140-2 validation of a product provides end users with a high degree of product security, assurance, and dependability.

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

A Federal Register Notice has been issued for the “Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules”.

Having now been signed by the U.S. Commerce Secretary, it is official, FIPS 140-3 has been approved!

“This notice announces the Secretary of Commerce’s issuance of Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules. FIPS 140-3 includes references to two existing international standards: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules, and ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules. As permitted by those standards, NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.”

Key Dates:

Companies actively working on or planning a FIPS validation will inevitably face decisions around which standard to work towards. The following dates will be critical for those projects:

• Draft For Comments: Complete
• Effective Date: Complete
• Publication of the Standard: Complete
• Supporting Documents for FIPS 140-2 & the CMVP Released: Complete
• New Testing Begins: 9/22/20
• 140-3 Mandated & The Last Day for 140-2 Submissions: 9/22/21 (This means Labs must submit their Lab reports to CMVP by this date)

Documentation:

CMVP wants to minimize the content in the series of NIST SP 800-140 documents because they hope to be as close to the international standard as possible. These are the documents that we believe will replace the existing FIPS 140-2 DTR, Appendices, and Annexes:

• NIST SP 800-140 – FIPS 140-3 Derived Test Requirements
• NIST SP 800-140A – CMVP Documentation Requirements
• NIST SP 800-140B – CMVP Security Policy Requirements
• NIST SP 800-140C – CMVP Approved Security Functions
• NIST SP 800-140D – CMVP Approved Sensitive Security Parameter Generation and Establishment Methods
• NIST SP 800-140E – CMVP Approved Authentication Mechanisms
• NIST SP 800-140F – CMVP Approved Non-Invasive Attack Mitigation Test Metrics

A notable omission from the new SP 800-140 series is any reference document for Approved Protection Profiles from Common Criteria (a CC-certified operating system was required for software validations at level 2 and above).

Early Review and Analysis:

This release has been a long time coming. We still expect additional updates and changes to come, but Corsec has reviewed the public documents and found the following areas to be of interest:

• Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017
• This version of FIPS 140-3 retains the 4 levels of validation
• The sections in FIPS 140-3 are now as follows:
  1. Cryptographic Module Specification
  2. Cryptographic Module Interfaces
  3. Roles, Services, And Authentication
  4. Software/Firmware Security
  5. Operating Environment
  6. Physical Security
  7. Non-Invasive Security
  8. Sensitive Security Parameter Management*
  9. Self-Tests
  10. Life-Cycle Assurance
  11. Mitigation of Other Attacks

*Sensitive Security Parameters is a new category – SSPs include both CSPs and PSPs (Public Security Parameters)

**Finite State Model was removed but may have been absorbed into section 11

***EMI/EMC was removed. There was no mention of EMI/EMC in the draft ISO 24759 either

Moving Forward:

1. Get Ahead: Be the first to complete the new standard (FIPS 140-3)
2. Revalidate Early: Avoid the new requirements prior to the mandated transition date and add 5 years to your current FIPS 140-2 validation
3. Plan Accordingly – Products being evaluated against FIPS 140-2 during testing transition may face problems completing their certification under old requirements.

Corsec participates in numerous committees, technical working groups, certification leadership positions, and industry events. As more information develops, we will deliver updates. Stay informed on all the program details, requirements, and timelines associated with FIPS 140-3 – Subscribe

For more information on the current FIPS 140-2 program, requirements, and process – visit here.

For any questions on how this will affect current or future FIPS projects, contact Corsec!

###

Press Contact:

Corsec would like to congratulate the entire HPE Smart Array team on completing the FIPS 140-2 validation process. The completion of the certification process not only opens the doors to new and exciting markets for HPE, but also demonstrates their fervent commitment to product security.

To achieve this milestone, HPE partnered with Corsec, completing the validation at a Level 1 as seen in certificate #3397. For more information on the validation and to find additional details on the security policy, visit NIST’s validated modules site.

Their completion of the FIPS 140-2 validation process demonstrates their commitment to strong levels of security, including a government backed product offering and a dedication to providing customers and end users with the most scrutinized and highly tested security solutions.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140-2

FIPS 140-2 is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. FIPS 140-2 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency.

FIPS, which is mandated by law in the U.S. and very strictly enforced in Canada, is also currently being reviewed by ISO to become an international standard. FIPS 140-2 is gaining worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. A FIPS 140-2 validation of a product provides end users with a high degree of product security, assurance, and dependability.

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

The Continuous Diagnostics and Mitigation Program

The Continuous Diagnostics and Mitigation (CDM) Program was originally a multiple award IDIQ released under the GSA Schedule 7o Blanket Purchase Agreement (BPA). It was created to establish “a dynamic approach to fortifying the cybersecurity of government networks and systems.”

The program was designed to provide the Department of Homeland Security and other federal agencies with the capabilities, resources, and tools to 1.) Identify cybersecurity risks on an ongoing basis, 2.) Prioritize these risks based upon potential impacts, and 3.) Enable cybersecurity personnel to mitigate the most significant problems first.

As threats changed, the CDM program offered federal agencies COTS tools to support technical modernization efforts. Additionally, CDM provided a structured methodology to allow for risk prioritization based on perceived impact, with the goal of mitigating the most significant risks, flaws, and bugs first. To do this, CDM used a four-phase process with an end goal of collecting and analyzing vulnerabilities data to make “strategic decisions regarding systematic cyber security risks across the entire Federal civilian enterprise.”

Ultimately, CDM provided a means to address and react to threats as they occurred, which decreased vulnerabilities and mitigated the risk of network exploitation.

Since its inception, the acquisition strategy for the CDM program changed. As stated, it originally was a DHS issued Blanket Purchase Agreements (BPA) under the GSA IT Schedule 70 contract, known and referred to as the CDM Tools/Continuous Monitoring as a Service (CMaaS) BPAs. These BPAs expired in August of 2018. 

To continue the mission and goals of the program, the following two acquisition strategies were developed to allow Vendors to compete on projects that address the mission of CDM:

• For Products (SW & HW) – Issuance of a CDM Tools SIN (132-44) under the GSA IT Schedule 70
• For Services – Task Orders referred to as CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) under the GSA GWAC Alliant

The programs are still consistent with NIST and OMB guidance as well as fulfillment of the Federal Information Security Management Act (FISMA).

CDM Tools SIN (132-44)

The new SIN is organized into five subcategories based on CDM capabilities:

1. Manage “What is on the network?”
2. Manage “Who is on the network?”
3. Manage “How is the network protected?”
4. Manage “What is happening on the network?”
5. Emerging Tools and Technology

To be added to the CDM Tools SIN, Vendors must submit their product for qualification review. Prior to applying, vendors must first have their product listed on the DHS Approved Products List (APL), and second, be a current holder of the GSA Schedule 70 GWAC. Acceptance onto the APL is reviewed on a monthly basic – the process to being added can be found here.

A current list of all vendors and products currently available for procurement under the CDM Tools SIN can be found here.

For help with requirements or other certification related concerns, please reach out and discuss with a Corsec expert – Connect

Stay Up to Date:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

2018 FEDERAL YEAR IN REVIEW

2018 was a stellar year for companies doing business with U.S. Federal Agencies. Over $95.6 billion dollars were allocated towards the procurement of secured IT products and solutions across Civilian, DoD, and the IC agencies.