Press Contact:

Press Contact:

Recent Implementation Guidance (IG) from NIST could impact vendor algorithms. The following overview has been created to summarize those critical dates and associated algorithms.

AES CBC-CS1, CBC-CS2, CBC-CS3 (IG A.12)

• Until Sep. 1, 2020, implementations that claim vendor affirmation to NIST SP 800-38A Addendum A will be accepted for submission.
• After Sep. 1, 2020, only implementations that are CAVP-tested for compliance toNIST SP 800-38A Addendum A will be accepted for submission.

SHAKE and KECCAK-based hash algorithms (IG A.15)

• Until Sep. 1, 2020, implementations that claim vendor affirmation to NIST SP 800-185 will be accepted for submission.
• After Sep. 1, 2020, only implementations that are CAVP-tested for compliance toNIST SP 800-185 will be accepted for submission.

PBKDF (IG D.6)

• Until Dec. 31, 2020, implementations that claim vendor affirmation to NIST SP 800-132 will be accepted for submission.
• After Dec. 31, 2020, only implementations that are CAVP-tested for compliance to NIST SP 800-132 will be accepted for submission.

Key agreement schemes (IG G.20, IG D.1-rev2, IG D.1-rev3, and IG D.8)

• New submissions (3SUB, 5SUB) with previous NIST SP 800-56A-based acceptance scenarios will no longer be accepted after Dec. 31, 2020. These scenarios include, for example, allowances for leveraging a shared secret CVL and a KDF CVL to claim a compliant KAS.
• Implementations under the previous NIST SP 800-56A-based acceptance scenarios will no longer be acceptable for use in FIPS mode after Dec. 31, 2021.
  • CVL certificates used to claim compliance for key agreement schemes will become obsolete after Dec. 21, 2021.
  • New submissions with these CVL certificates will not be accepted after Dec. 21, 2021.
  • Modules with claims of compliance to NIST SP 800-56A or NIST SP 800-56Arev2 will be moved to the Historical List effective Jan 1, 2022.

• Until Dec. 31, 2020, implementations that claim vendor affirmation to NIST SP 800-56Arev3 will be accepted for submission.
• After Dec. 31, 2020, only implementations that are CAVP-tested for compliance toNIST SP 800-56Arev3 will be accepted for submission.

Key transport schemes (IG D.9)

• RSA-based implementations that claim compliance to NIST SP 800-56Brev3 will require CAVP testing after Dec. 31, 2020.
• New submissions (3SUB, 5SUB) with RSA-based implementations that are vendor-affirmed to NIST SP 800-56B will no longer be accepted after Dec. 31, 2020.
• RSA-based implementations that are vendor-affirmed to NIST SP 800-56B will be disallowed after Dec. 31, 2023.
• Non-compliant implementations of RSA key wrap will be allowed until Dec. 31, 2023.
• New submissions (3SUB, 5SUB) with non-compliant implementations of RSA key wrap will no longer be accepted after Dec. 21, 2020.

Key derivations schemes (IG D.10)

• Vendors may continue to claim vendor affirmation to NIST SP 800-56Crev1 thru Dec. 31, 2020.
• Implementations that claim compliance to NIST SP 800-56Crev1 will require CAVP testing after Dec. 31, 2020.

Need Support?

Contact Corsec to discuss your resolution path and determine if you need to take action for your validation.

Corsec would like to congratulate our partner, Forcepoint, on completing the DoDIN APL process for their Next Generation Firewall (NGFW) Engine. Forcepoint partnered with Corsec to achieve this milestone and over the past year the teams worked to harden the product against security requirements for STIG testing, CAC compliance, IPv6, and Information Assurance and Interoperability testing. Forcepoint met the DoD APL’s product security requirements and was awarded the listing under the Data Firewall (DFW) product type.

“Completion of the DoD’s APL listing process is a testament to Forcepoint’s commitment to supporting the DoD and enhancing the security of its network” said Jake Nelson, Director of Marketing at Corsec. For more information on the listing visit the DISA Approved Products List. For more information on engineering your product to meet Federal and regulated industry security requirements, speak directly to a Corsec engineer.

About The DoDIN APL

The DoDIN APL represents the agency’s master list of secure, trusted, and approved technology infrastructure products. The DoDIN APL was developed in an effort to maintain a single consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. Getting a product included on this coveted list involves a rigorous 39-step process overseen by the Approved Products Certification Office (APCO). This laborious and often confusing process involves the submission of a series of properly completed forms and product documentation, attainment of prerequisite validations and certifications such as FIPS 140-2, Common Criteria, and adherence to strict scheduling guidelines and interdependencies.

About Forcepoint & the NGFW

Forcepoint is the human-centric cybersecurity company that understands behavior and adapts security response and enforcement to risk. The Forcepoint Next Generation Firewall (NGFW) appliances are high-performance network security appliances that add a broad range of built-in security features, including VPN2, IPS3, anti-evasion, TLS inspection, SD-WAN4, and mission-critical application proxies, to a traditional firewall and provides end-to-end protection across the entire enterprise network.

For further information, please visit www.forcepoint.com

Press Contact:

A Federal Register Notice has been issued for the “Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules”.

Having now been signed by the U.S. Commerce Secretary, it is official, FIPS 140-3 has been approved!

“This notice announces the Secretary of Commerce’s issuance of Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules. FIPS 140-3 includes references to two existing international standards: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules, and ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules. As permitted by those standards, NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.”

Key Dates:

Companies actively working on or planning a FIPS validation will inevitably face decisions around which standard to work towards. The following dates will be critical for those projects:

• Draft For Comments: Complete
• Effective Date: Complete
• Publication of the Standard: Complete
• Supporting Documents for FIPS 140-2 & the CMVP Released: Complete
• New Testing Begins: 9/22/20
• 140-3 Mandated & The Last Day for 140-2 Submissions: 9/22/21 (This means Labs must submit their Lab reports to CMVP by this date)

Documentation:

CMVP wants to minimize the content in the series of NIST SP 800-140 documents because they hope to be as close to the international standard as possible. These are the documents that we believe will replace the existing FIPS 140-2 DTR, Appendices, and Annexes:

• NIST SP 800-140 – FIPS 140-3 Derived Test Requirements
• NIST SP 800-140A – CMVP Documentation Requirements
• NIST SP 800-140B – CMVP Security Policy Requirements
• NIST SP 800-140C – CMVP Approved Security Functions
• NIST SP 800-140D – CMVP Approved Sensitive Security Parameter Generation and Establishment Methods
• NIST SP 800-140E – CMVP Approved Authentication Mechanisms
• NIST SP 800-140F – CMVP Approved Non-Invasive Attack Mitigation Test Metrics

A notable omission from the new SP 800-140 series is any reference document for Approved Protection Profiles from Common Criteria (a CC-certified operating system was required for software validations at level 2 and above).

Early Review and Analysis:

This release has been a long time coming. We still expect additional updates and changes to come, but Corsec has reviewed the public documents and found the following areas to be of interest:

• Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017
• This version of FIPS 140-3 retains the 4 levels of validation
• The sections in FIPS 140-3 are now as follows:
  1. Cryptographic Module Specification
  2. Cryptographic Module Interfaces
  3. Roles, Services, And Authentication
  4. Software/Firmware Security
  5. Operating Environment
  6. Physical Security
  7. Non-Invasive Security
  8. Sensitive Security Parameter Management*
  9. Self-Tests
  10. Life-Cycle Assurance
  11. Mitigation of Other Attacks

*Sensitive Security Parameters is a new category – SSPs include both CSPs and PSPs (Public Security Parameters)

**Finite State Model was removed but may have been absorbed into section 11

***EMI/EMC was removed. There was no mention of EMI/EMC in the draft ISO 24759 either

Moving Forward:

1. Get Ahead: Be the first to complete the new standard (FIPS 140-3)
2. Revalidate Early: Avoid the new requirements prior to the mandated transition date and add 5 years to your current FIPS 140-2 validation
3. Plan Accordingly – Products being evaluated against FIPS 140-2 during testing transition may face problems completing their certification under old requirements.

Corsec participates in numerous committees, technical working groups, certification leadership positions, and industry events. As more information develops, we will deliver updates. Stay informed on all the program details, requirements, and timelines associated with FIPS 140-3 – Subscribe

For more information on the current FIPS 140-2 program, requirements, and process – visit here.

For any questions on how this will affect current or future FIPS projects, contact Corsec!

###

Press Contact: