Important News:SafeLogic Announces General Availability for CryptoComply for Go! Learn more!

Request Consultation
Request Consultation

FIPS 140

Compliance

Technology

Industries

FIPS 140 Validation-as-a-Service

Post-Quantum Cryptography

Extended Support

The Post-Shutdown FIPS Validation Queue

October 22, 2013 Walt Paley

I’m glad that’s over.

I’m not going to start spouting my political viewpoints, but I think we can all agree that the government shutdown was not ideal for anyone involved… and that it unfortunately involved all of us.  FIPS140Logo

For the folks in encryption, it was unsettling to learn that NIST was considered non-essential for government operation, and the result was that the CAVP and CMVP processes were hobbled.  Without NIST representation, the CSEC’s hands were tied and could not issue any validations.

According to a recent blog post, CMVP was reviewing FIPS submissions from January 2013 on their last day open before the shutdown.  This represents a 10 month queue.  Back in May, the queue length was estimated at 7.5 months long.  This means that CMVP fell behind an additional 2.5 months of work in only 5 active months!

Another blog post highlighted that only three new submissions appeared on the In Process list after NIST resumed operations, but three more have been added on today’s list update.  I hate to be pessimistic, but over the last six months, submissions outpaced the CMVP efficiency rate by 50%.  This means that the two week shutdown should represent three weeks worth of work, and I anticipate that it will soon be tacked onto the queue.  Meanwhile, submissions from January are still being finalized.  Forget the projections - that is an actual timeline of ten months.  Even if the expected rush of submissions never materializes, the CMVP will need to work significantly faster in order to reduce the queue length, not just keep up.

We haven’t made it to Thanksgiving yet, but let’s talk turkey.  You’re destined for pain if you’re planning a traditional validation path.  The CAVP is going to be impacted by the shutdown as well, meaning that ten months is really just the beginning.  If you’re beginning from scratch, you’re probably pushing a full year, start to finish, once you factor in the document preparation and the algorithm validations.  Many buyers can be patient, but that’s asking an awful lot.  By this time next year, your point of contact might not even be with the company!

It’s not all bad news though.  RapidCert is still available, only from SafeLogic, and we will continue to blow away timeline projections.  In fact, we might need to change our tag line to “You needed SafeLogic twelve months ago”.  Time savings during validation cycles just got even more valuable, and SafeLogic is the only company that can offer you a truly accelerated timetable.
Walt Paley

Walt Paley

Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.

FIPS validation CMVP CAVP Industry News FIPS 140 NIST queue RapidCert federal SafeLogic

Share This:

Back to posts

Popular Posts

Search for posts

Tags

See all