I’m glad that’s over.
I’m not going to start spouting my political viewpoints, but I think we can all agree that the government shutdown was not ideal for anyone involved… and that it unfortunately involved all of us.
For the folks in encryption, it was unsettling to learn that NIST was considered non-essential for government operation, and the result was that the CAVP and CMVP processes were hobbled. Without NIST representation, the CSEC’s hands were tied and could not issue any validations.
According to Mark Minnoch on his excellent blog, CMVP was reviewing FIPS submissions from January 2013 on their last day open before the shutdown. This represents a 10 month queue. Back in May, Minnoch had blogged that the queue length was 7.5 months long. This means that CMVP fell behind an additional 2.5 months of work in only 5 active months!
Mark’s latest post highlighted that only three new submissions appeared on the In Process list after NIST resumed operations, but three more have been added on today’s list update. I hate to be pessimistic, but over the last six months, submissions outpaced the CMVP efficiency rate by 50%. This means that the two week shutdown should represent three weeks worth of work, and I anticipate that it will soon be tacked onto the queue. Meanwhile, submissions from January are still being finalized. Forget the projections – that is an actual timeline of ten months. Even if the expected rush of submissions never materializes, the CMVP will need to work significantly faster in order to reduce the queue length, not just keep up.
We haven’t made it to Thanksgiving yet, but let’s talk turkey. You’re destined for pain if you’re planning a traditional validation path. The CAVP is going to be impacted by the shutdown as well, meaning that ten months is really just the beginning. If you’re beginning from scratch, you’re probably pushing a full year, start to finish, once you factor in the document preparation and the algorithm validations. Many buyers can be patient, but that’s asking an awful lot. By this time next year, your point of contact might not even be with the company!
It’s not all bad news though. RapidCert is still available, only from SafeLogic, and we will continue to blow away timeline projections. In fact, we might need to change our tag line to “You needed SafeLogic twelve months ago”. Time savings during validation cycles just got even more valuable, and SafeLogic is the only company that can offer you a truly accelerated timetable.