FIPS 140-2 and Common Criteria industry updates (May 2019)
Highlights from the annual Lab Manager’s meeting and ICMC
- The CMVP recognizes that slow review times have been an issue recently. There are long-term plans to address this problem, but labs and customers should not anticipate significant changes in the near future.
- Greater use of automation should speed up review times in the future. The Automated Cryptographic Validation Protocol (ACVP) is in Phase 4 of development and should help speed up future algorithm and module validations.
- CMVP’s plans for FIPS 140-3 have been made public and published on the Federal Reigster. The implementation schedule for FIPS 140-3 is available here. Current plans for FIPS 140-3 testing to begin in September 2020 and for FIPS 140-2 testing to end in September 2021.
- CMVP NIST fees will not be changing in Fiscal Year 2020 (beginning October 1, 2019), however they do expect to introduce fees for CAVP submissions. Once more information around the CAVP fee structure is provided, Leidos will be sure to share immediately.
Leidos experts are available to help with any questions or concerns regarding the industry updates mentioned above. Please contact us at [email protected]s.com and we will be happy to assist.
NIAP adoption and approval of Protection Profiles
- No new Protection Profiles have been approved by NIAP in the past month. It should be noted that three Protection Profiles and an Extended Package have upcoming sunset dates.
- Version 1.2 of the Application Software Protection Profile will sunset on August 31, 2019, to be replaced by version 1.3 along with version 1.1 of the TLS Functional Package. Version 1.0 of the SSH Extended Package will continue to be applicable to this Protection Profile until an appropriate Functional Package is released.
- Version 2.0E of the collaborative Protection Profile for Network Devices will sunset on September 10 and be replaced by version 2.1.
- Versions 3.0 of the Mobile Device Management Protection Profile and the Mobile Device Management Agent Extended Package will sunset on October 25, to be replaced by version 4.0 of the Mobile Device Management Protection Profile and version 1.0 of the Mobile Device Management Agent Protection Profile Module respectively.
NIAP Technical Decisions (TDs)
NIAP has posted the following TDs on various dates between 4 April 2019 and 16 May 2019:
- TD0414: FTP_ITC_EXT.1 Tests 1 and 2 in PP_APP_EMAILCLIENT_EP_v2.0
- TD0415: Trusted Update Test 4 Conditional in PP_CA_C2.1
- TD0416: Correction to FCS_RBG_EXT.1 Test Activity in PP_APP_v1.3
- TD0417: Updates to FDP_IFF.1 and FIA_UAU.2 in EP_ESC_v1.0
- TD0418: Clarifications for EP_ESC_v1.0
- TD0419: FAU_GEN.1 Audit for FMT_SMF.1 in EP_ESC_v1.0
- TD0420: Conflict in FCS_SSHC_EXT.1.1 and FCS_SSHS_EXT.1.1 in PP_SSH_EP_v1.0
- TD0422: FCS_SRTP_EXT.1 Test 2 in EP_SBC_v1.1
All TDs are effective immediately. A comprehensive list of all TDs with detail can be found here.
Leidos experts are available to help with any questions or concerns regarding the industry updates mentioned above. Please contact us at [email protected] and we will be happy to assist.