NIST and the Federal Shutdown

If you’ve been to the NIST site lately, you saw this.

Two weeks into the federal government shutdown, the debt ceiling is looming and your guess is as good as mine what will happen next.  It doesn’t matter which side of the aisle you’re on, because we are all annoyed, aggravated, and disappointed.  What we do know is that the shutdown has already furloughed NIST employees and all of us are going to suffer the consequences.

Apparently national data security is non-essential.  NIST employees were sent home and both the CAVP and CMVP have suspended validation activity.  Employees are legally barred from using government-issued devices to check e-mail or do any work while on furlough, so if you need anything, your only option is to contact CSEC, NIST’s Canadian counterpart and cooperating partner in the CAVP and CMVP programs.  The bad news?  CSEC cannot complete any validations without a NIST representative present.

Others have illustrated this shutdown as a mild inconvenience, or a minor pain because you cannot access the In Process List on the website or download a form.  I’m sorry to say that it is much, much more than that.

For those of you who are about to begin the process, you’ll quickly find out that without validation of your encryption algorithms, you won’t get very far.  Good luck with that, since CAVP workers are furloughed.  Once NIST re-opens, you can bet that the rush to submit to the CAVP queue will be significant.  It’s going to be a total crapshoot where you land in the queue, and you’re as likely to have to wait a couple months as a few weeks.

Then, and only then, can you submit your complete documentation to the CMVP.  You can forget about competing with the Black Friday-style rush of submissions on their first day open, because you’re still twiddling your thumbs and waiting for the CAVP.  No, you can be sure that you’ll be buried at the bottom of the pile, behind the incredibly long queue that was already in process on September 30^th.  You can add all the folks who will complete their lab testing and submit on the first day open.  It’s going to be ugly.

If you’ve already received your CAVP validations, then congrats!  You only have to deal with one swarm of submissions, instead of two.  Since we don’t know when NIST will re-open, the pressure is on.  Every day that the CMVP is closed, the number of prepared submissions rises, and you better believe that you’ll want to be among those accepted by CMVP on their first day back.  If you’re not, prepare for an extra long wait.  The queue will be particularly impacted.

I hope you’re not completely discouraged, because we’ve got plenty of good news for you.  For example, CryptoComply offers immediate drop-in compliance.  For many enterprise buyers, a letter of confirmation that you are leveraging our validated module will satisfy their internal FIPS mandate.

Instant compliance – that’s tough to beat, especially when things at NIST are as far as possible from instant.  Give us a call.