First SP800-140Br1 Compliant FIPS 140-3 Certificates

On July 11th, 2024, the first three FIPS 140-3 certificates for NIST’s SP800-140Br1 pilot program were posted on the NIST website. atsec information security was one of the labs that took part in the pilot program. SP 800-140Br1 specifies modifications of the methods to be used by a Cryptographic and Security Testing Laboratory (CSTL) to demonstrate conformance to ISO/IEC 19790 Annex B requirements.

The project was led by David Hawes (CMVP Program Manager) who kicked off the project in June 2023 in preparation of the rollout of SP800-140Br1 with the intention that it will benefit in preparing for the new process. With regular group meetings and guidance form CMVP, atsec submitted their first pilot in September 2023. This resulted in certificate #4723 for AMD’s ASP Cryptographic Coprocessor ("Phoenix"). atsec would like to thank AMD for their willingness to be part of this project. Special thanks to David Hawes for all the guidance, prompt response and his dedication to this project.

As an outcome of this project, CMVP created MIS Verifier and Security Policy Builder tool which is an important step to facilitate automated verification and processing of the modules. Security Policy (SP) is one of the required documents for FIPS submission. Earlier the SP was written manually in its entirety leading to many consistency and human errors. In the new process, CMVP uses JSON as the submission format to provide a mechanism for receiving structured data. This data in the form of field and table information source is the Module Information Structure (MIS). The remaining information is entered by the vendor into a copy of the CMVP supplied Microsoft Word template document. This completed template is merged with the MIS fields and tables to produce the final Security Policy. The verifier part, parses the MIS fields and performs schema and rule validation that helps eliminate duplication of information and the need to verify multiple separate sources.

This is also accompanied with Br1 variation of the original Web Cryptik, a web-based application for the CSTLs to create and submit their FIPS report packages to CMVP.

This is not the only measure the CMVP is taking to shorten cryptographic module queue: recently Interim Validations were introduced as a way to deal with the current backlog and while it gives some much-needed relief, they come with a reduction in assurance and a shorter certificate lifetime of 2 years vs. the usual 5 years.

For a sustainable way to expedite the FIPS validation process in response to the increasingly high demand for the validated cryptographic modules, the National Cybersecurity Center of Excellence (NCCoE) launched the AMVP (Automated Module Validation Project) initiative and is making good progress. The upcoming ICMC in September will have a Panel on this project and demonstrate its latest development. atsec actively participates in the NCCoE AMVP alongside the CMVP, vendors, and other labs. We are optimistic that we will soon see the lights from the end of the lengthy review-pending tunnel.