Resolution on the CMVP’s FIPS 140 Queue

On Feb 21, 2024, the CMVP made a big announcement regarding modules which had been submitted for FIPS 140 validation: “Due to the issues caused by the queue length, the CMVP has made a decision to allow for provisional validation of FIPS 140-3 modules that were submitted prior to Jan 1, 2024.”

The announcement came after public concern over the length of time it was taking for modules to complete the government’s review portion of the FIPS 140-3 validation process.  In 2022, the CMVP began accepting modules into review for FIPS 140-3.  To date, only 19 modules have completed validation, showcasing a multi-year review process by the CMVP.

The announcement came with a great deal of comments and speculation.  As a result, the CMVP decided to hold meetings with interested parties to find a suitable path forward which would address the queue as well as take industries concerns into consideration.  Prior to a more recent announcement, the following would apply to interim validations:

  • Applicable only to module submissions prior to January 1, 2024
  • The CMVP wants 95+% of these entries to submit a Br1 conversion. This is a new form of a document and submission process (despite the bugs associated with the Br1 and the fact that it has not produced a single certificate to date)
  • The name for these evaluations was “Provisional Validation” (PV), however that has now changed to “Interim Validation” (IV)
  • The sunset date of an IV is currently set at 2 years (previously set at 1 year) and will have a caveat
  • The sunset date of an IV cab be extended to 5 years with submission of a Br1 update or UPDT
  • No deadline has yet been established for companies to decide on if they want to pursing an IV
  • There is no guarantee that IVs will be accepted by Agencies for purchasing products
  • The details on how the current queue and IVs will be evaluated continues to change, it is currently set to be processed in order of the original queue date
  • Moving forward, the CMVP will follow a “Trust but verify” process with Labs for reviewing validations
A Resolution and Path Forward

On May 24, 2024 the CMVP made an announcement on a course of action to address the issues raised on the previous announcement while still addressing the heart of the issues related to the FIPS 140-3 queue.  As part of the notice, there were significant changes:

  • No report will be required to undergo interim validation or be updated to SP 800-140Br1 (a.k.a. Br1)
  • The caveat language for the interim validation has been updated (request a copy of the caveat explanation)
  • A limited set of revalidation scenarios for interim certificates will be accepted, including CVE, NSRL, VUP, and VAOE (see FIPS 140-3 MM 7.1 Submission Scenarios)
  • The CMVP cannot commit to accepting Rebrands at this time and can’t guarantee that they will in the future
  • Processing interim validation requests will begin on June 3, 2024
Proposed Process

The notice has defined the process the CMVP will follow as they move forward.  Below is text taken directly from the release:

  1. We will continue to process reports that are “In Coordination” using current processes. Other than the interim validation path described below, 100% of our review time will be dedicated to completing these validations.
  2. Once we begin processing interim validation requests (target date of June 3, 2024), we will work through the reports in queue order, processing interim validations for the reports as requested by the vendor. As a report hits the top of the queue, if interim validation is not selected, we will continue to the next interim report in the queue. As new interim validation requests are submitted after June 3, we will process them in the original submission queue order. We will continue this until we’ve processed all the reports requesting interim validation submitted prior to January 1, 2024.
  3. When the interim reports and the reports in coordination have been completed (or at least waiting for the lab responses), we will, in queue order, begin work reviewing the reports that have not been selected for interim validation. At this time we cannot provide any specific timeline information for these reports or detail the exact approach we will take to get through the validation. Once we have completed the interim validations, we will need to see how many vendors select the interim validation option, how many select the Br1 option, and analyze and review our processes to date. We anticipate being able to provide updated timeline information at that time. There are two things we can say now related to the validation timeline for these reports:
    • The review process for reports in the Br1 format will take significantly less time.
    • The validation timeline for all the reports will be sooner than it would in the current situation.
  4. After we have completed the initial queue-order processing of interim validations, we will continue to accept requests for interim validation until October 1, 2024. However, once we begin reviewing a report, whether in the current format or in the Br1 format, we will not accept an interim validation request.
  5. To get through the queue and work through the processes above, we will need to reduce (but not eliminate) the time we spend on other CMVP activities including responding to status requests, RFGs, special process requests, etc.
What Is Next?

Corsec is working with the CMVP, Accredited Labs, and Product vendors to discuss the best path forward for each validation. If you have any questions or would like more information, please reach out directly.


Past Milestones of the CMVP’s Proposed Plan
  • Feb 21: CMVP presents a proposal for Provisional Validations (PV)
  • Feb 28: CMVP elaborates with a proprietary checklist and decision table
  • Feb 29: CMVP requests feedback by March 6
  • March 05: Feedback Provided
  • March 08: Meeting held to discuss feedback
  • March 22: CMVP hosts meeting for all impacted parties to present updated Interim Validation (IV) proposal
  • May 14: CMVP Interim Validation Notice released

Below are statistics on FIPS 140-2 and FIPS 140-3 government wait times based on an AWS Lambda monitoring project:

FIPS 140-2 Validations:
Oct: 396 Days
Nov: 401 Days
Dec: 397 Days
Jan: 398 Days
Feb: 402 Days
March: 398 Days
April: 388 Days
May: 393 Days

FIPS 140-3 Validations:
Oct: 647 Days
Nov: 625 Days
Dec: 620 Days
Jan: 626 Days
Feb: 655 Days
March: 661 Days
April: 690 Days
May: 728 Days


About FIPS 140-3

FIPS 140-3 is a joint effort by the National Institute of Standards and Technology (NIST) in the United States and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-3, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. FIPS 140-3 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency.

FIPS 140-3 is mandated by law in the U.S. and very strictly enforced in Canada. FIPS 140-3 has gained worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. A FIPS 140 validation of a product provides end users with a high degree of product security, assurance, and dependability.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Dir of Marketing
Jnelson@corsec.com