FIPS 140-2 and Common Criteria industry updates (Jan. 2019)
General AT&E Lab Update
Leidos will be at the RSA Conference in San Francisco in early March
Leidos’ AT&E team will be represented at the RSA Conference from March 4-8 in San Francisco. If you plan to attend, please reach out as we look forward to meeting with you!
FIPS 140-2
U.S. Govt. receipt of appropriations on Jan 25th
As of January 25, 2019, the U.S. Government ended the partial shutdown and NIST received appropriations for the 3-week period. CMVP informed Leidos of the following on January 28, 2019:
This is to inform you that the NIST CMVP is once again operational after the lapse in appropriations. We are now funded through February 15, 2019.
Thank you in advance for your patience as we come back up to speed in the week ahead.
What this means is that we should start to see some module postings as well as some algorithm submissions being processed soon. We are hopeful that the funding continues beyond February 15th!
We can also confirm that as of January 29, 2019, the NIST CAVP is accepting and processing Algorithm submissions and is funded through February 15, 2019. As we mentioned last month, they have now implemented the new format for CAVP certificates. Here’s a refresher on the changes:
Moving forward on the CAVP website, all algorithm certificates will be implementation-wide as opposed to per-algorithm. Additionally, a new identifier prefix “C” or “A” is being incorporated into this new algorithm certificate style to designate whether or not the certificate was produced using the current “CAVS” system or the future “ACVP” automated system. The example that NIST provided was this certificate (“Cert. #C 76”) which has AES, CVL, DRBG, HMAC, SHS, RSA, and Triple-DES all on a single certificate.
This change shouldn’t affect vendors much beyond just documentation. Once the ACVP is finalized, however, changes will need to be made to algorithm testing harnesses as we’ve mentioned in previous announcements due to the changes in formatting (described here).
Leidos experts are available to help with any questions or concerns regarding the industry updates mentioned above. Please contact us at ATE@leidos.com and we will be happy to assist.
Common Criteria
U.S. Govt. shutdown impacts
Due to the U.S. Government shutdown (December 22, 2018 - January 25, 2019) there were minimal policy and technical decisions made by NIAP. NIAP issued labgram #109 which spoke to the now temporarily defunct shutdown. With the threat of another shutdown looming, here are the contents of labgram #109 that would once again apply:
Evaluations that already have their CAVP/CMVP certificates and all required evidence as prescribed in NIAP Policy #5, may proceed as normal. CCTLs may continue to submit Check-out packages and completed evaluations will be posted on the Product Compliant List (PCL).
Evaluations that do not yet have their CAVP/CMVP certificates, or do not have the required evidence as prescribed in NIAP Policy #5, may submit an interim Check-out package for review. Any interim Check-out package must be fully complete with the exception of NIST certificates. Once the NIST CAVP/CMVP program is operational again, the CCTL must resubmit the package with the appropriate certificates as well as an updated vulnerability analysis. NIAP will determine appropriate timelines for resubmittal once NIST is operational.
Leidos experts are available to help with any questions or concerns regarding the industry updates mentioned above. Please contact us at ATE@leidos.com and we will be happy to assist.