Just before the winter holiday, sneaking in with very little fanfare, CMVP issued a statement on the treatment of modules that are pending FIPS 140 validation. Our friends at Acumen Security had a good rundown at their blog of the nuts and bolts of the guidance. (Go ahead and read it if you like. I’ll wait.)
In a nutshell, the CMVP has promised action to put pressure on folks to actually complete their validations. Imagine that! They have capped IUT (Implementation Under Test) modules at 18 months, which is entirely reasonable for anyone that is making a good effort to move forward. If you’re past IUT and on the MIP (Modules In Process) list, response time expectation has been dropped from 120 days to 90 days… and you get booted from the list if you fail to respond. Again, it’s very reasonable. 3 months to respond to CMVP’s questions is far more than you need if you’re actively pursuing certification.
It’s laughable for SafeLogic customers, of course. RapidCerts are on the IUT list so briefly, if you blink, you might miss it! In fact, the 90-day response time for MIP is longer than our entire process! This really will only potentially affect projects that are dragging their heels.
NIST hasn’t said as much, but industry insiders are speculating that the 18 month window is just the first stake in the ground and will be reduced in the future to a tighter timeline. We saw the writing on the wall when CMVP separated the Modules in Process (MIP) list from the Implementation Under Testing (IUT) list and annotated them with the dates of addition.
So why establish the sunset date? The most obvious answer is that NIST is tired of vendors claiming conformance (pointing to their In Process status as evidence) when they aren’t making an honest attempt to actually complete validation. Some consultants have made a sport out of trying to game the system… it’s practically highlighted as a specialty on their list of services! Front-loaded contracts for FIPS validation incentivize consultants to make the bare minimum effort, filing the initial paperwork, and getting their client added to the IUT List. Then it’s the federal agencies that are an accessory to the charade, subjectively giving certain vendors a free pass, approving the procurement of some solutions while they are still in IUT – potentially violating encryption and compliance mandates. Any child in school could explain that taking a test is not the same as having passed it, and yet our nation’s best and brightest shrug and say “Well, we wanted it, so we got it anyway.”
I think NIST has had their fill of being the unintentional enabler of this behavior. With an 18-month sunset applied retroactively, and the potential to tighten that window further in the future, the semantic games are on the way out. IUT is intended for vendors making progress, not as the goal itself, and that is being made very clear. We’ll see how many modules are cleared out on the first sweep and how many suddenly make progress now.
We should applaud NIST and the CMVP. The public IUT list was supposed to be a status update, a checkpoint, not the goal itself. It was available as a reference for federal agencies, to be reassured that negotiating procurement terms in advance of an impending validation would be worthwhile. I don’t know when agencies began on the slippery slope of deployment before certification, but it’s a dangerous policy and must be stopped. The IUT status by itself is worthless, and acting otherwise will devalue the FIPS 140-2 validation program if it’s allowed to continue.
Now, more than ever, as we approach the transition of power to a new presidential administration, the federal government must play by the rules – especially the ones that they themselves have set. NIST is doing a commendable job adjusting on the fly to ensure the best possible future of the CMVP and to make sure that vendors who play by the rules aren’t hung out to dry.