IG Updates: Chasing the Moving Target (C31c)
Recently, the CMVP Implementation Guidance (IG) began to be released every quarter. This is a welcome change which helps to keep track of the latest algorithm standards, transition announcements, the development of the new configurations, etc.
On the other hand, because of the frequent updates to the IG some vendors have difficulties meeting the requirements of the new and revised IGs. This is very often seen in software products which have a shorter product lifecycle. Vendors of such products are often interested in performing revalidations of the newer versions of their module where the changes done to the module are not crypto related but rather updates for code cleanup, performance enhancement, etc., which fit into the 1SUB revalidation category. This causes a situation to arise where there are new or revised IGs published since the module was last validated. This forces the vendor to go through 3SUB revalidation even if the only security relevant change is to meet the new requirements of the IG.
This presentation aims to propose a new submission category for revalidation which will include modules where the security relevant changes are done only to meet the new/updated IG requirements. Currently the CMUF working group called “Response to CVEs” is working to introduce a subsection to scenario 3 revalidation in IG G.8, such as 3a, which would be a combination of scenarios 3 and 1. Along similar lines, this presentation will analyze the different options where this new category can be best fitted for submission under either 1SUB/2SUB/3SUB and will also propose different aspects to consider for this category including the required evidence, documentation, and testing.
Introducing this category will have following advantages.
1) Vendors looking for revalidations will be able to leverage the faster validation process.
2) It will also encourage vendors to update their product to enhance its security by keeping it up-to-date with the new versions of the IG.
IG updates to embrace new technology, and at the same time taking the vendors needs into consideration, will help to nurture a stronger relationship for the future.