[12-16-2003] AES MAC for OTAR for use in radios.
Effective December 12, 2003, the CMVP will recognize the use of AES MAC (CBC-MAC based on AES defined in Project 25 TIA-102.AACA-1) for the Digital Radio Over-the-Air Rekeying (OTAR) Protocol when operated in a FIPS Approved mode. Further details in CMVP FAQ.
[08-07-2003] With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards. For further information, please go to the CMVP FAQs Section 3.2.
[06-12-2003] -- CNSS Policy No. 15, Fact Sheet No. 1
National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information, June 2003.
[02-10-2003] -- Development of Cryptographic Module Validation Program Management Processes:
The U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) jointly manage the Cryptographic Module Validation Program (CMVP). The CMVP validates commercial cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards such as algorithms. Products validated as conforming to FIPS 140-1 or FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive but unclassified information (Government of the United States) or designated information (Government of Canada).
In the CMVP, vendors of commercial cryptographic modules use independent, accredited Cryptographic Module Testing (CMT) laboratories to have their modules tested. Laboratories accredited by National Voluntary Laboratory Accreditation Program (NVLAP) perform cryptographic module compliance/conformance testing.
The CMVP Team has begun the process of reviewing and updating its CMVP management processes. The intent is to better define the policies and processes that govern the CMVP Team, the laboratories and the vendors.
The deliverable is the CMVP Management Manual that will refine the already existing policies and collate them in one document. The CMVP Team will also add new policies, processes and requirements that will affect present and new CMT laboratories, and the vendors of validated cryptographic modules. Amongst other things, new requirements will be added in the areas of:
- CMT laboratory personnel
- Communication between the CMVP, CMT laboratories, vendors and consulting firms
The first draft of the CMVP Management Manual is expected to be available for public review during the fall of 2003 and will be finalized during the winter of 2004.