Carolyn French, ITS Engineer, CSE; Michael Cooper, IT Specialist, NIST; Apostol Vassilev, Cybersecurity Expert, Computer Security Division, NIST
NIST will be increasing he fees for one year, cost recovery fees, so that they can hire contractors to work through the backlog.
In August 2015, NIST published a Federal Registry Notice seeking public comment on he potential use of certain ISO/IEC standards and crypto module testing, conformance and validation activities. They did not get much feedback, other than complaints that this was a pay based set of standards.
Question on contractor strategy: we are now getting unusual questions and our labs have to spend time educating the contractors. Request for satisfaction with this strategy. Michael agreed it was fair point, but that they have smart people.
Note on why they did not receive many comments: questioner said he's on the NIST public list, but the call for comments did not go there, it was only published on the federal register. NIST noted it was posted to a few places, and asked their labs to reach out.
Question: while it looks like we're moving towards ISO standard, what would happen if we don't get it approved by Secretary of Commerce? Answer: you'd have to wait a loooong time for us to generate something else.
When the new standard is signed, folks will have 12 months to submit under the old standard.
CMVP queue is down from 12 months to 3 months, they are trying to get this down further. Part of the current delay waiting for the cost recovery funds to come in. This can be slow due to large companies' PO process. Labs can speed this up by requesting the funding from their clients sooner - or possibly NIST needs to bill sooner? For example, NIST should not wait until the test report is received, but rather send the bill when they are notified that there is a system under test - or some other time before the test report is submitted.
Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!
Now THAT'S Putting A Face On Wreckage - Yesterday a couple of you posted *this* on the Cake Wrecks' Facebook page: I'll give you a moment. [whistling] Now, I have no idea where it came from, b...