The SafeLogic Blog

NIST publicly announced this week a brand-new interim validation option whereby cryptographic modules that have been submitted to NIST’s cryptographic module validation program (CMVP) will be able to secure fast-tracked interim FIPS 140-3 validation.  With a large backlog of FIPS 140-3 validations in the NIST CMVP queue, NIST is making some important structural changes to the validation process, such as rolling out automation that will make it far more efficient to identify non-conformances and thus move the review process along more quickly.  Interim validation is introduced as a way to reduce the size of the current queue and to ensure that a sufficient number of modules can achieve FIPS 140-3 validation status before modules validated under FIPS 140-2 sunset and go historical.

To qualify for this interim validation, cryptographic modules submitted to NIST CMVP will need to meet very specific requirements.  The following bulleted lists come verbatim from NIST’s CMVP website (https://csrc.nist.gov/projects/cryptographic-module-validation-program):

• Submitting Cryptographic Security Testing (CST) lab must be in an active status with NVLAP.
• Received by the CMVP prior to 1 Jan 2024, and have not yet been validated. 
• Fully tested and evaluated for conformance to the FIPS 140-3 standard by an active, accredited CST lab.
• Recommended for validation by the accredited CST lab who performed the testing. 
• In addition to the original submission documents, the CST lab must also complete and sign a CMVP-provided requirement checklist.  
• The vendor must inform the CMVP through their CST lab if they elect to choose interim validation. Electing for interim validation is available until 1 Oct 2024. 

NIST CMVP will review modules for completeness and there will be a short period of coordination between NIST CMVP and the CST Lab to resolve any questions.   Once the interim validation is completed:

• A two-year sunset date (expiration date) will be awarded.
• The ‘Interim Validation” caveat will be added to the certificate validation entry to distinguish them from a full validation
• An optional follow-up submission that conforms to the SP 800-140Br1 format may be submitted to the CMVP.  Upon successful review and completion of this submission, the “Interim Validation” caveat will be removed, and the sunset date modified to add three more years to reflect a change from two to five years for the total sunset length.
• Any non-compliance identified (e.g., during the follow-up review) will be resolved with existing processes and provide the opportunity for a timely resolution prior to moving the validation certificate to the Historical or Revocation lists
• This follow-up submission must be received by the CMVP prior to the two-year sunset date to remain on the active list until the completion of the follow-up submission. 
• The validation will be moved to the historical list if the follow-up submission is not received prior to the two-year sunset date. 

The pursuit of the interim validation option is voluntary, and cryptographic module vendors can choose to wait for full validation without taking any action. 

NIST is taking this important action after consultation with its Cryptographic and Security Testing (CST) laboratories and the cryptographic module vendor community.  It was necessary to make some changes in the FIPS 140-3 validation process to meet the demand that the world has for FIPS 140-3 validated cryptographic modules, and so NIST is doing just that.

Given these new developments, it is natural that many organizations will have questions.  If you find yourself having questions, please do not hesitate to reach out to us.  SafeLogic is well prepared and positioned to help its customers with an orderly transition from FIPS 140-2 to FIPS 140-3 modules in a white-glove fashion.  We can help your organization obtain your very own FIPS 140 certification in approximately eight weeks, then keep that certification active through all the transitions, including the FIPS 140-2 to FIPS 140-3 transition.  This way, your organization can rest assured that the SafeLogic cryptography you use in your own products will meet the requirements of government agencies for both continued operation and for new procurements, giving your company a distinct competitive advantage.