The most common question we receive from clients on the FIPS Validation process is: “after my validation report has been sent to the Cryptographic Module Validation Program (“CMVP”), how long will it take to complete the Validation?”. This post outlines the various stages for a module to be validated in the CMVP’s review process, as well as the average duration of each stage.
After the lab receives some preliminary inputs, including a draft Security Policy (“SP”), a module can be placed on the Implementation Under Test List (“IUT list”). The IUT list allows vendors to point their stakeholders to a NIST hosted list that shows that they are working with an approved lab to validate their module. As of June 8th, 2021, the IUT list had 186 modules under contract at various labs. Modules can remain listed on the IUT list for up to 18 months, or until the lab submits the validation report and package to the CMVP. Upon report submission, the module is moved from the IUT list to the Modules in Process List (“MIP list”) (with a preliminary status of Review Pending).
The MIP list includes four stages to represent the CMVP’s review progress:
- Review Pending: This is the initial stage and signifies all necessary documents and a conformant module have been provided to the CMVP for review. The vendor is also required to pay a NIST Cost Recovery Fee to the CMVP prior to the module being moved to the next stage.
- In Review: This stage indicates that a CMVP Validator has been assigned to review the validation package.
- Coordination: Once the lab has received the first set of comments from the Validator, the module is listed as in Coordination. This stage requires the lab (with support from the vendor as needed) to address the Validator’s questions, comments, or clarifications. There are typically a few rounds of comments from the CMVP in a typical project. The lab has a maximum of 90 days to answer the Validator’s questions per round of comments issued.
- Finalization: The final stage is relatively short and corresponds to the final resolution of comments, certificate listing details and the administration of posting the Validation Certificate.
Upon receiving Validation, the module is posted on the Validated Modules list with the CMVP, and displays various details about the validation including: a) non-proprietary security policy ; b) vendor contact information; c) lab information; d) type of module; e) cryptographic algorithms supported; f) supported platforms; and g) the sunset date after which the module will expire and be moved to the historical list.
Figure 1, below, shows the average duration that a module spends in each stage of CMVP review. Finalization times are not tracked in Figure 1 because generally most modules are in this stage for a period of one to two days. It is worth noting that typically, vendors can participate in federal procurement opportunities if their module is listed on the IUT or MIP lists, irrespective of their stage in the CMVP’s review progress because the agencies are aware of the typical timeframes involved.
The duration of a module being moved from the IUT list to “Review Pending” on the MIP list accounts for 34% of the average total duration of the various CMVP review stages. This can be seen in Figure 1. During this stage, the lab is conducting their testing of the module. The CMVP does not require a module to be placed on the IUT list, nor does it mandate when in the process this should occur. Consequently, the duration can widely vary depending on individual vendor circumstances.
Figure 2, below, displays the various durations seen from a module being listed on the IUT list until receiving Review Pending status on the MIP list. As can be seen from the trendline, the duration shown in Figure 2 has grown from mid-2019 throughout 2020 however can be averaged at approximately six months. This data includes labs which had a minimum of 5 validations between January 1, 2020, and May 31, 2021, as well as any new submissions to the IUT list within that period.
After a module has been listed on the MIP list, it is often referred to as “in the queue”. The queue is the time from receipt of Review Pending status until Validation. Figure 3, below, shows the fluctuation of these queue wait times from Q1 2020. Queue time can vary based on several factors, including the number of validation packages submitted; COVID-19-related work constraints; and the complexity of comments to be resolved during the coordination phase. The average duration of the coordination phase is seen to be greater than 90 days which points to most modules receiving more than one round of comments from the CMVP.
The CMVP has indicated that they are taking steps to address the long queue time with the expectation of a multitude of validation packages to be submitted in advance of the upcoming transition to FIPS 140-3 .
Lightship amalgamates data from the IUT and MIP list and consolidates it for analysis. It is worth noting, however, that updates in vendor or module naming, or status updates differing from the standard progression may not always be consolidated accurately. Data included in the above Figures 1-3 include module validations posted from January 1st, 2020, to May 31st, 2021.
If you are planning on pursuing a FIPS 140-3 Validation, please reach out to the testing experts at Lightship Security to help get you there.