Mandating CMVP for NIAP Evaluations Panel Presentation (C13a) Moderator: Dianne Hale, NIAP, United States, Panelists: Michael Cooper, IT Specialist, NIST, United States; Terrie Diaz, Product Certification Engineer, Cisco Systems, United States; Matt Keller, Corsec, United States; Edward Morris, Co-founder, Gossamer Security Solutions, United States; Nithya Rachamadugu, Director Cygnacom United States
By mandating this, it will reduce duplicate work
Mike Cooper - of course we'd like to see more people leveraging our programs, but we know NIAP has to worry about the timeline. We currently can't do things in parallel. But, there are slight differences, depending on which PP you're looking at. FIPS 140-2 is a 1 size fits all. We'd have to do work to see what the differences are and figure out how to go forward.
Ed Morris - we see this from our customer perspective. When they are doing a common criteria project, we have to figure out if FIPS will be required or not - if it's for DoD, etc, then they will need both. Managing that timeline is very difficult.
Matt Keller - been doing this for more than 20 years as a consultant (not a lab). It's an interesting idea. There are a lot of things FIPS does very well: no unbounded surfaces, well defined interfaces, but it's not perfect. Can we leverage each? Products do not always equal modules. Most people were not just buying crypto modules - they are buying a product that contains a module. NIAP gives more assurance at the product level. We can't just look at crypto - we need to consider how the keys are stored. We want to look at the entire product, making sure the module we tested is being used correctly in the product.
Nithya Rachamadugu - remembers doing this when crypto was treated by CC as a black box. CMVP in some places has more tests and requirements and vice versa.
Terrie Diaz - been working in this space for 20 years. Cisco has a large profile of products that are certified and sold through many countries. Don't really want to do country specific certifications, something that is more general would be more appealing.
Ed - it would be nice if they could point to each other's certificates. Not sure this would work in practice. NIAP covers the entire product, and modules are just the crypto bits. Vendors want to shrink their crypto boundaries for FIPS as small as possible to avoid revalidation thrash. But what happens is we miss out on how keys are handled and stored, for example. FIPS is a once size fits all - smartcard to server. And it's grown from older standards, which brings a lot of extra things. CC has updated PP that are more relevant for your product.
Matt K. - there are labs are doing FIPS inside testing, so we are solving this problem - it's just not standardized (and no regulation or oversite).
Nithya - CC is compliance and FIPS is a validation. They have different goals. Maybe not mandated, but leveraged?
Ed - we hear sometimes from customers that we don't need to worry about their crypto, because they're already going through a CMVP validation, but then we find they are not using it correctly based on CC.
Question: there's already a divergence for various countries. What can we do better here?
Matt K - we could pull the most valuable pieces from FIPS and put it in CC PP. But, if the law still requires you buy FIPS validated crypto... then this won't meet your requirement.
Q: It would be good to keep these standards in sync. Ed - yes, that would help us to avoid thrash. But linking them together can be quite hard. Nithya - I get questions all the time about which one to start first, my advice is start at the same time. You will be able to leverage the work of each other. What if you find an issue along the way? lots of things to consider.
Mike C. - as a government purchaser, I do want to see how these assurance cases tie together.
Ed - maybe we should decrease the scope of FIPS so we can better work together.
This was followed by a good discussion on timing - vendors really want this all to happen as fast as possible for the most benefit.
Taste The Rainbow - [gazing dramatically into distance] *Sooome... WHERE.... oooover the rainbow! * *My, oh my. * *There's a cake that I heard of * *Once that I'd lik...