The CMVP has been experiencing, for some time now, a waiting queue of projects pending evaluation concerning FIPS 140-2 and FIPS 140-3. In order to remedy this problem and try to shorten the delay, the CMVP is committed to the creation of tools to automatize the processes and procedures related to the evaluation and testing of these cryptographic modules.
What is the CMVP and why is it so important in the certification process of cryptographic modules?
CMVP (Cryptographic Module Validation Program) arises from an alliance promoted between the United States and Canada to support the certification of cryptographic modules under FIPS methodologies. Its objective is to promote the use of validated cryptographic modules and provide a security scale to be used in the acquisition of products containing cryptographic modules. CMVP is a part of the NIST (National Institute of Standards and Technology), the government agency that assumes the role of Certification Body in the United States.
CMVP has become the scheme used internationally to evaluate cryptographic modules.
Tools to automatize processes as a solution to speed up the FIPS certification process.
This is not the first time that CMVP has relied on the development of tools to automatize processes, as it recently implemented a change in the methods for testing algorithms within the Cryptographic Algorithm Validation Program (CAVP).
To address the problem of long delays, CMVP has created a document to identify ideas and recommendations on how to automatize some of the more tedious manual tasks during the FIPS validation process, with the idea of being more efficient and reducing waiting times to get products to market in an optimal time and manner. The new mechanisms to be implemented will be tested by accredited laboratories that are members of the National Voluntary Laboratory Accreditation Program (NVLAP).
*Original source https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/cmvp-project-description-draft.pdf
Automatization, part of our NDA
At jtsec we welcome this type of initiatives, as the promotion of automatization in the processes used in cybersecurity certifications has been part of our nature since the beginning. We have developed unique tools in the market such as CCToolbox, for Common Criteria and LinceToolbox for LINCE evaluations (Spanish national cybersecurity certification).. These tools allow us to automatize a number of processes in both the consulting and the evaluation part of both methodologies. In addition, thanks to funding from the European Commission under the Connecting Europe Facility (CEF) program, we are developing CCCAB (Common Criteria Conformity Assessment Body), which will be a free open source tool that will allow Common Criteria CABs of the new EUCC scheme to smooth the certification process of ICT products.
Time-to-market is one of our priorities when dealing with an evaluation. Helping our clients to get their certified product to market quickly is a competitive advantage for them. Thanks to the use of these tools, we are able to ensure that the product is on the market on time.
