February 1, 2013

FIPS 140-2 report queue update

Now that January is behind us, it is time for an update on the FIPS 140-2 report queue.  In January 2013, 15 FIPS 140-2 certificates were issued -- 7 of those were validated by InfoGard Laboratories.  Go Team!

As of February 1, 2013, InfoGard has received comments from the CMVP for 4 reports that were submitted in July 2012 and we are waiting for comments on 4 other July reports.  All reports submitted prior to July have been reviewed by the CMVP.

My estimate for the current CMVP review time remains at 6 to 7 months.  I am actually very encouraged that my estimate has not increased since I went on record with my last estimate in November 2012.

I am carefully monitoring the Modules in Process list as this is an excellent indicator of FIPS 140-2 report activity.  The number of reports in the "Review Pending" and "In Review" columns has increased by 26 (a 23% uptick) since November 2012.

Longer review times may be ahead of us in 2013, so stay tuned for future updates.  High quality report submissions are exactly what the CMVP needs to maintain and improve their review times.

Posted by at
Labels:

3 comments:

  1. searching my selfFebruary 21, 2013 at 5:22 PM

    Hi Mark,

    Thank you for the informative blog. This will surely help us in better planning.

    I work for an organization that develops FIPS security modules.
    One of our module is certified multiple times as and when new features are added. Now, this FIPS module has to be modified to fix a bug. This bug is not related to crypto/security functionality. It is a two line change, that does not touch any security code.

    Can this kind of code changes be absorbed as a quick maintenance certification process. I appreciate your valuable comments.

    Thanks and Regards,
    Phani.

    ReplyDelete
    Replies
    1. mark minnochFebruary 21, 2013 at 6:25 PM

      Phani,

      Yes, if the change is not security relevant as you suggest, then this is an easy maintenance effort. Contact the FIPS Laboratory that performed your validation testing. They will be able to review the code change and coordinate a maintenance update to your existing certificate.

      There is no NIST fee for this update and the Laboratory costs will not break the bank. Once the Laboratory completes their review, the NIST website will be updated in 2-3 weeks.

      If you would like a little more information on the different types of FIPS revalidations, read the following blog post:

      http://fips140.blogspot.com/2011/09/fips-140-2-revalidation-terms-to-know.html

      Good luck. Thanks for the question.

      Mark Minnoch

      Delete
    2. searching my selfFebruary 21, 2013 at 6:36 PM

      Thank you very much for the quick response. This makes us very happy.
      Actually we were with Infogard for the validation. We will meet them for recertification.

      Phani.

      Delete

Subscribe to: Post Comments (Atom)