For vendors offering capability to the U.S. Department of Defense (DoD), the use of Federal Information Processing Standard (FIPS) validated cryptography can be a make or break feature within their products. Active FIPS certification for all product cryptographic modules is a key requirement for entry and continued listing on the DoD Information Network Approved Product List (DoDIN APL), the DoD’s primary listing of approved products for procurement.
The National Institute of Standards and Technology (NIST) is the U.S. Government’s organization responsible for developing the measurements and standards that comprise FIPS. NIST manages the Cryptographic Module Validation Program (CMVP), which is the process by which individual cryptographic modules and algorithms are validated through rigorous third-party testing against the FIPS standards, and then certified by the NIST CMVP team based on the results of testing. Only cryptographic modules and algorithms that have been certified through the CMVP process are considered FIPS validated.
The FIPS standard is continually evolving, improving the cryptographic capabilities available to protect sensitive government information, countering emerging vulnerabilities in cryptography, and eliminating the use of obsolete cryptographic methods that have been rendered ineffective due to technological advancements. When standards are updated, all existing certifications must address the new requirements by the stated deadline – or they will automatically be transitioned to a historical status. When a module is in historical status, it is no longer fully approved for DoD use – and products reliant on those modules to perform cryptographic operations generally will not be permitted to proceed through the DoDIN APL process.
As with most U.S. Government certification processes, the CMVP has always been a lengthy ordeal due to its complexity, depth and rigor combined with multiple accredited third-party testing labs submitting their results to a single government approval authority. Historically, government offices are labor constrained due to competing fiscal budgets – and without effective top-down prioritization of funding, gatekeeper programs such as the NIST CMVP, and DoDIN APL trend towards insufficient staffing to accommodate timely processing of the volume of technology submissions necessary to keep the DoD’s IT infrastructure modernized and competitive.
Several major factors surrounding the CMVP have also contributed to significant delays in time to federal market for newer vendor capabilities:
- Years of continuing resolution (CR) budgetary funding has kept many federal government organizations from operating at their required potential.
- The COVID 19 pandemic resulted in a drastically reduced capability for many organizations, while leaders worked to adjust business processes to the resulting remote-work and reduced on-site staffing requirements that have now become the defacto standard for most IT and administrative work forces.
- The FIPS 140-3 transition went into effect at the height of the pandemic. This transition implements updated cryptographic standards replacing the legacy FIPS 140-2 standard. The scheduling of this transition, however, has been detrimental. FIPS 140-2 submissions were ended in September of 2021. As of September 2022, there have been no modules certified through the new FIPS 140-3 process. This has resulted in a year and growing gap for all new cryptographic capabilities entering the DoD, causing a cascading impact to vendors seeking entry or maintenance of products on the DoDIN APL due to the inability to achieve FIPS validation for their current cryptographic modules. A growing number of technologies are trapped on end of support/end of life platforms that cannot be phased out until their replacements have achieved FIPS 140-3 validated cryptographic modules.
- The SP 800-56A Rev3 transition also went into effect at the same time as the FIPS 140-2 standard was being deprecated. This transition has caused a number of widely utilized cryptographic modules to enter into a historical status, including those bundled with the DoD’s most commonly used Microsoft and Linux-based operating systems. While vendors were provided at least 1 year to update their FIPS certifications to reflect the changes of the SP 800-56A Rev 3 update, this has been insufficient to accommodate the many challenges. The impacts of the COVID pandemic on both the commercial and federal work force, combined with the existing and growing backlog at NIST for finalizing packages that have already completed testing has placed many modules in a month’s long limbo. As a result, many of the products reliant on these modules are unable to proceed through the DoDIN APL or further DoD procurements.
In reviewing the current in process list, it is clear that many of the products submitted under both FIPS 140-2 and FIPS 140-3 are stuck in a backlog to be processed by the NIST. As of Sept 14 2022, there are over 221 packages in the NIST queue, many of which have been in queue for well over 6 months. The overall sentiment from industry is that federal certification processes are taking such a long time to complete, and are often so serial in nature, that by the time products are finally certified for procurement they are already well into obsolescence.