The NCCoE’s Automation of the CMVP

news2024/11/16 21:35:07

Earlier today at the ICMC24, we heard from a panel about the US National Cybersecurity Center of Excellence’s (NCCoE) work on the Automated Cryptographic Module Validation Program (ACMVP), which intends to tackle the troublingly long queue times we’ve seen for a while. Currently, the temporary solution has been to issue interim certificates for modules that would need to wait in queue for months, possibly years. These interim certifications are only valid for two years with reduced assurance resulting from the decreased rigor in reviewing the submitted modules, however, which doesn’t fully accomplish the goals of requiring certification. The ACMVP aims to improve the efficiency of the validation process via automation to address the growing queue length while still maintaining a high level of rigor, assurance, and the five years of certificate validity.

For the project, NCCoE pulled together experts from CMVP, testing laboratories, and vendors to tackle areas of the CMVP FIPS 140-3 validation process where automation can enhance efficiency, with a special focus on the test report. The ICMC panel discussions by the NCCoE’s ACMVP cover the completed work and future plans of all three workstreams (Test Evidence (TE), Protocol, and Research Infrastructure) and demonstrated the AMVP (Automated Module Validation Protocol) server’s capability of generating a Security Policy (SP). atsec co-leads the TE Workstream with the CMVP and we want to take this opportunity to elaborate on the three major accomplishments that have been completed by this workstream.

1. Classifying TEs

The TE Workstream classified test evidence into the following categories, depending on what needs to be checked, inspected, or tested, and how the vendor evidence (VE) is supposed to be provided:

  • SP-TEs, whose assessments are based on reviewing the vendor provided SP
  • OD-TEs, whose assessments are based on reviewing the vendor documentation other than the SP, such as design documents, user guidance, finite state module, etc.
  • SC-TCs, whose assessments are based on inspecting the module’s source code
  • FT-TEs, whose assessments are based on exercising/executing the module to cover functional testing

The above TE categories may be used in combination, and help ensure clear, consistent, and structured filing in lab-provided TE assessments.

2. Filtering non-applicable Assertions (ASs) and their related TEs and VEs

The TE Workstream provided TE filtering criteria based on the module specification, such as security level, module type, embodiment type. The filtering rule also takes into consideration supplemental module information that the CMVP currently asks for but is not yet incorporated in the report template generation by Web Cryptik. Being able to filter TEs based on the module characteristics results in the list of TEs for labs to fill in being shortened, leading to clearer and more concise reports.

3. Unifying the SP and the test report in JSON

The TE Workstream translated the CMVP’s current SP template from the hybrid combination of a Word file skeleton with JSON tables to JSON only. This new structure facilitates the JSON report directly referencing the needed content in the JSON SP, and this will be the first time the Security Policy is written entirely using JSON and the first time the AMVP server can generate a matching SP PDF from the JSON SP.

The TE Workstream extends the reference-based reporting from SP-TEs to all TEs. To achieve this goal, they are working on an evidence catalog file that is also in JSON to capture descriptions of evidence for OD-TEs, SC-TEs, and FT-TEs. It is the first time a test report can reference a well-structured evidence catalog, which contains the SP JSON for SP-TEs, as well as evidence descriptions for other categories of TE. These shifts will reduce redundancy and eliminate the root cause of inconsistency by using the single data entry principle, where information is entered and maintained in the evidence catalog file and that data is pulled by other documents. The new JSON format for everything contributing to a module submission enables automating the checks for existence and completeness of the evidence catalog in relation to the test report.

These major improvements also have short-term impacts to the current CMVP, as creating them generated suggested changes for the CMVP’s current guidance on TEs that rely on verifying vendor documentation instead of functional testing or source code review.

And things won’t stop there! The TE Workstream is still working diligently to improve TE filtering coverage, further develop test method recommendations for function testing TEs, and finalize the JSON structure for the test evidence catalog. The end goal is to allow for an evidence catalog that can be easily referenced by testers when the CMVP reviewers ask for specific TE evidence while also demonstrating the correctness of the evidence to the reviewers.

Coupled with today’s ICMC panel discussion, the NCCoE published documentation about the ACMVP on their website for public review.

About a year ago, atsec made a short animation video clip and played it at the opening of ICMC23, pointing to the direction that the NCCoE ACMVP was heading. It’s worth revisiting the lighthearted clip for a high-level understanding of the new structure – we also think you’ll get a good laugh out of it. Many things illustrated in the clip have already been implemented, and the project is planned for completion in 2025.

https://www.atsec.cn/downloads/media/shortening_the_fips_queue_through_automation%20(720p).mp4

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2157414.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Apifox 「定时任务」操作指南,解锁自动化测试的新利器

定时任务是按照预设时间自动执行的任务,它可以有效解决一些常见问题,比如频繁执行的回归测试和大规模的接口测试,这些任务需要在固定时间点或间隔周期内自动运行,以确保软件的持续集成和持续交付过程中的稳定性和可靠性。通过使用…

实操学习——个人资料的录入、修改、密码的修改

实操学习——个人资料的录入、修改、密码的修改 一、个人资料的录入和修改知识补充:装饰器二、密码的修改知识补充:docker的关闭与启动 一、个人资料的录入和修改 在users的app下创建一个用户详情表 from django.contrib.auth.models import User from…

C/C++逆向:switch语句逆向分析

在逆向分析中,switch语句会被编译器转化为不同的底层实现方式,这取决于编译器优化和具体的场景。常见的实现方式包括以下几种: ①顺序判断(if-else链): 编译器将switch语句转化为一系列的if-else语句。这…

【第十四章:Sentosa_DSML社区版-机器学习时间序列】

目录 【第十四章:Sentosa_DSML社区版-机器学习时间序列】 14.1 ARIMAX 14.2 ARIMA 14.3 HoltWinters 14.4 一次指数平滑预测 14.5 二次指数平滑预测 【第十四章:Sentosa_DSML社区版-机器学习时间序列】 14.1 ARIMAX 1.算子介绍 考虑其他序列对一…

Flutter鸿蒙化(windows)

Flutter鸿蒙化(windows) 参考资料Window配置Flutter的鸿蒙化环境下载配置环境变量HarmonyOS的环境变量配置配置Flutter的环境变量Flutter doctor -v 检测的问题flutter_flutter仓库地址的警告问题Fliutter doctor –v 报错[!] Android Studio (version 2…

计算机前沿技术-人工智能算法-大语言模型-最新论文阅读-2024-09-18

计算机前沿技术-人工智能算法-大语言模型-最新论文阅读-2024-09-18 1. The Application of Large Language Models in Primary Healthcare Services and the Challenges W YAN, J HU, H ZENG, M LIU, W LIANG - Chinese General Practice, 2024 人工智能大语言模型在基层医疗…

软媒市场新探索:软文媒体自助发布,开启自助发稿新篇章

在繁华喧嚣的软媒市场中,每一个声音都在竭力呼喊,每一个品牌都在奋力展现。而软文,作为一种温柔而坚韧的营销力量,正逐渐崭露头角。特别是软文媒体自助发布平台的出现,更是为企业提供了一个全新的、高效的自助发稿渠道。 软媒市场自助发布平台,正如其名,是一个让企业能够自主发…

离职员工客户如何管理?解锁2024企业微信新功能

公司里员工来来去去很正常,但每次有人走,老板们都会头疼,因为客户信息得有人接着管。客户对公司来说太重要了,不能丢。2024年,企业微信出了个新招,就是员工离职后,客户信息可以轻松转给新来的员…

JVM的基本概念

目录 一、JVM的内存划分 二、JVM的类加载过程 三、JVM的垃圾回收机制(GC) 四、分代回收 一、JVM的内存划分 一个运行起来的Java进程,就是一个Java虚拟机,就需要从操作系统中申请一大块内存。申请的内存会划分为不同的区域&…

Maven笔记(一):基础使用【记录】

Maven笔记(一)-基础使用 Maven是专门用于管理和构建Java项目的工具,它的主要功能有: 提供了一套标准化的项目结构 Maven提供了一套标准化的项目结构,所有IDE(eclipse、myeclipse、IntelliJ IDEA 等 项目开发工具) 使…

计算机前沿技术-人工智能算法-大语言模型-最新论文阅读-2024-09-17

计算机前沿技术-人工智能算法-大语言模型-最新论文阅读-2024-09-17 1. Large Language Models in Biomedical and Health Informatics: A Review with Bibliometric Analysis H Yu, L Fan, L Li, J Zhou, Z Ma, L Xian, W Hua, S He… - Journal of Healthcare …, 2024 生物…

HarmonyOS应用开发(组件库)--组件模块化开发、工具包、设计模式(持续更新)

致力于,UI开发拿来即用,提高开发效率 正则表达式...手机号校验...邮箱校验 文件判断文件是否存在 网络下载下载图片从沙箱中图片转为Base64格式从资源文件中读取图片转Base64 组件输入框...矩形输入框...输入框堆叠效果(用于登录使用&#xf…

【自动驾驶】决策规划算法(二)参考线模块Ⅰ| 平滑算法与二次规划

写在前面: 🌟 欢迎光临 清流君 的博客小天地,这里是我分享技术与心得的温馨角落。📝 个人主页:清流君_CSDN博客,期待与您一同探索 移动机器人 领域的无限可能。 🔍 本文系 清流君 原创之作&…

(学习记录)使用 STM32CubeMX——GPIO引脚输入配置

STM32F103C8T6的GPIO引脚输入配置 时钟配置 (学习记录)使用 STM32CubeMX——配置时钟(入门)https://blog.csdn.net/Wang2869902214/article/details/142423522 GPIO 引脚输出配置 (学习记录)使用 STM32…

Springcloud框架-能源管理系统-能源管理系统源码-能源在线监测平台-双碳平台

一、介绍 基于SpringCloud的能管管理系统-能源管理平台源码-能源在线监测平台-双碳平台源码-SpringCloud全家桶-能管管理系统源码 有需者咨询,非诚勿扰; 二、软件架构 二、功能介绍 三、数字大屏展示 四、数据采集原理 五、软件截图

macos pyenv 安装python tk 、tkinter图形库方法步骤和使用总结

在macos中, pyenv 是一款用来管理多版本python 的工具, 我们常用的tk图形库是一个独立的工具库,我们在python里面使用的tkinter模块仅是调用这个独立的tk图形库, 所以如果我们希望在python里面使用它, 就必须要先安装t…

委托的注册及注销+观察者模式

事件 委托变量如果公开出去,很不安全,外部可以随意调用 所以取消public,封闭它,我们可以自己书写两个方法,供外部注册与注销,委托调用在子方法里调用,这样封装委托变量可以使它更安全,这个就叫…

金融加密机的定义与功能

金融加密机是一种用于保护金融交易数据和信息安全的重要安全设备。它通过硬件和软件的多重保障,确保金融交易中的敏感数据不被泄露或篡改。以下是关于金融加密机的详细介绍: 一、定义与功能 金融加密机是一种硬件安全设备,通过实现各种密码算…

深度deepin初体验(一)系统详细安装过程 | 国产系统

这里写自定义目录标题 深度deepin初体验(一)系统详细安装过程1.介绍2.安装要求3.环境4.创建虚拟机/系统升级系统选择语言硬盘分区备份文件拷贝系统重启常规设置 深度deepin初体验(一)系统详细安装过程 1.介绍 深度deepin是在debi…

Python开发深度学习常见安装包 error 解决

Python Python 是一种广泛使用的高级编程语言,它以其清晰的语法和代码可读性而闻名。Python 支持多种编程范式,包括面向对象、命令式、函数式和过程式编程。由于其简洁性和强大的标准库,Python 成为了数据科学、机器学习、网络开发、自动化脚…