FIPS 140-3 Transition Extended by CMVP

In an unexpected plot twist during the transition to FIPS 140-3, the Cryptographic Module Validation Program (CMVP) announced that the cut-off for FIPS 140-2 submissions would be extended from the planned September 21, 2021 date until March 30, 2022 April 1, 2022. [See update below.] Here's what you need to know.

• • - Ultimately, all FIPS 140-2 validations will expire at their scheduled 5 year Sunset Date; on September 21, 2026; or if the module is disqualified based on an algorithm transition; whichever comes first. So even if you receive one of the certs granted during the extension, you won't get an extended Sunset Date.
  • - CMVP doesn't care about months or days. The deadline was moved from a mid-month Tuesday to a mid-month Wednesday. Each selected date roughly corresponded to the end of a calendar quarter, but otherwise, we would just be speculating on why it was selected. Tweet at us if you know the real reason... or even better, if you have a hilarious theory. [See update below.]
  • - Labs are required to officially request the extension for any affected modules. So this isn't a free-for-all to skate in by March. The extension request must be made by September 30, 2021 for any submissions that were not received by the original deadline. (Hey, the last day of the month! That makes sense.) This indicates that while CMVP has been stretched very thin in recent months with the FIPS 140-3 transition, this extension was intended to primarily help the labs accommodate a backlog of test reports that need to be generated and submitted.

Of course, partnering with SafeLogic makes a world of difference. Our RapidCert process will not be subject to the cut-off date, regardless of whether it is enforced in September or March. This is particularly important, as we originally believed CMVP would be handling it differently and not allow any new 140-2 certs of any kind after that date. We will be proceeding with our validation roadmap for FIPS 140-3 as planned and will continue to offer FIPS 140-2 RapidCerts in the meantime, with the same high level of simplicity and support that has become synonymous with the SafeLogic name.

Contact us immediately if you see FIPS 140 validation on the horizon for your solution, so we can accelerate your validation and keep your Go To Market plans on target!

CMVP revised their new final deadline to be April 1, 2022, which is both a Friday and obviously the beginning of a month. Very logical! (Although if it's just a super meta April Fool's Day joke, there will be a lot of cranky people.)

***Update 2***

CMVP made another clarification, that to be eligible for the extension, the project had to be in contract with a lab by May 28, 2021. Yes, that date already passed. So if you signed your contract more recently, you had better hurry, because the September 22, 2021 deadline still applies to you! (Or, since that's a really tough timeline to make it work before the drop-dead date, get a RapidCert instead.)