NIST Successfully Slashes FIPS 140-2 Validation Wait Time Down To Record Lows
Online, May 12, 2011 (Newswire.com) - Corsec Security, Inc., the leader in FIPS 140-2 and Common Criteria documentation, project management and consulting services, today announced that NIST's Cryptographic Module Validation Program (CMVP) queue is down to a record low. This accomplishment marks a major success for the FIPS 140-2 program due to the hard work and dedication from both the National Institute of Standards and Technology (NIST) and Communications Security Establishment Canada (CSEC) throughout the increasing load of products being submitted for validation over the years.
A product's status in the FIPS 140-2 process is made public, with vendor approval, through the CMVP's Modules In Process List which is updated on a regular basis. The queue for products awaiting government review falls in the Review Pending phase, which marks the point when a validation laboratory has completed testing of the product and has submitted their final report to the CMVP. Products will generally stay in the queue until the government can allocate resources to that validation effort.
During the last 13 years, Corsec has aided hundreds of vendors worldwide through the FIPS 140-2 validation process, and has seen the time spent in the Review Pending phase increase to over 6 months in recent years. Due to recent efforts by the CMVP, the number of products waiting in the queue has dropped by 90%, from almost 70 products last September, to only 8. The time waiting in the Review Pending has dropped to only weeks, instead of months. During this time, demand for validations has continued to be high. CMVP's efforts have been successful at drastically reducing the queue and their commitment to the success of the FIPS 140-2 program is apparent and supported by the industry. "Corsec is very pleased with this momentous achievement for CMVP and for the FIPS 140-2 program," said Matthew Appler, CEO of Corsec Security. "We look forward to continuing to do our part in assisting both the CMVP and product vendors to move their products through the process more efficiently."
In 1995, the Cryptographic Module Validation Program (CMVP) was established as a joint effort between NIST in the US and CSEC in Canada with the goal of validating cryptographic modules against Federal Information Processing Standards (FIPS), including FIPS 140. Since then, over 1500 modules have been validated against FIPS 140-2 and its predecessor FIPS 140-1. Several government mandates including NSTISSP #11, DoD 8500.2 and NIST SP 800-23, require that agencies purchase products which have undergone FIPS 140-2 as a means of ensuring third party assurance to the cryptographic security functionality of the product.