25% off FIPS HACKER Lab Report

For the month of May, my FIPS Hacker Lab Report is on sale for 25% off.

That’s probably less than you would pay for a single hour of consulting. If this report does not save your company money and make your life better, then I will refund your purchase. 

This improved report contains FIPS 140-2 Program trending charts for the last 5 years and breakdown charts for 2016. The CMVP posted 294 FIPS 140-2 certificates in 2016 — more than any other year of the program.


Mark Minnoch is the creator of the FIPS HACKER Lab Report, the definitive source for historical performance information, expert guidance, and actual FIPS customer feedback.

How did your FIPS 140-2 project go?

Congratulations on your recent FIPS 140-2 certificate.

I am in the process of collecting feedback from companies that achieved a FIPS 140-2 certificate in November of 2016.

Your next book, gadget, or coffee is on me — I’d like to send you a $20 (USD) gift card for completing my survey.

In my survey, I ask that you click on a response for these questions:

How satisfied are you with your…
(1) … recent FIPS Lab experience?
(2) … FIPS Lab’s responsiveness?
(3) … FIPS Lab’s FIPS 140-2 expertise?
(4) … FIPS Lab’s expertise of your company’s technology?
(5) … FIPS Lab’s communication during your project?

Most people finish my survey in about 90 seconds. (You only need to click your response — no typing required)

Your time is valuable to me, so I will send you a $20 (USD) Amazon or Starbucks gift card. I still have budget to spend, please help me spend it.

Your feedback is aggregated with others and represented in a color chart (see partial sample above) to provide guidance to companies involved in FIPS 140-2 projects. To encourage honest feedback, there is no way to identify you when the data is consolidated and published.

If you completed a FIPS validation in October or November 2016, then please send me an email (mark@fipshacker.com) with your FIPS 140-2 certificate number. I will send back a link to my survey through Survey Monkey.

This offer to send you a $20 (USD) Amazon or Starbucks gift card for completing my survey EXPIRES on Friday, December 23, 2016 at 11:59 PM Pacific.


Final Pitch

Reasons why people like you are spending 90 seconds to complete this survey:

  1. $20 Amazon or Starbucks gift card – I really do send this for every completed survey
  2. Your FIPS Lab could have done a better job and you want to anonymously let them know where to improve
  3. Your FIPS Lab did a great job and you want to anonymously reward excellent support

Send me an email (mark@fipshacker.com) with your FIPS 140-2 certificate number. I will send you a link to my quick survey.


Mark Minnoch is the creator of the FIPS HACKER Lab Report, the definitive source for historical performance information, expert guidance, and actual FIPS customer feedback.

Certificates by Security Level

Level 1 FIPS 140-2 certificates account for 50% of the total certificates issued during the 12 month period from October 2015 through September 2016.

screen-shot-2016-11-03-at-2-20-54-pm
Certificates by Security Level

This graph and more are available in my FIPS HACKER Lab Report


Mark Minnoch is the creator of the FIPS HACKER Lab Report, the definitive source for historical performance information, expert guidance, and actual FIPS customer feedback.

Format change for Modules in Process List

The NIST Modules in Process website now contains two reports (MIP List and IUT List) showing the status of FIPS 140-2 cryptographic modules in the testing process.

The FIPS 140-2 Modules In Process List (MIP List) contains the cryptographic modules that are stepping through the following milestones:

  • Review Pending – The CMVP received a complete report package
  • In Review – Report Reviewers assigned at the CMVP
  • Coordination – CMVP comments returned to the FIPS Laboratory
  • Finalization – Administrative processing to post the certificate

Sample MIP List entries:

MIP List


The FIPS 140-2 Implementation Under Test List (IUT List) contains cryptographic modules that are in the testing process with a FIPS Laboratory. The IUT Date indicates when the cryptographic module was first added to the list.

Sample IUT List entries:

IUT List

Both lists are updated daily.

Once a report package has been submitted to the CMVP by the FIPS Laboratory, a cryptographic module will be removed from the IUT List and then added to the MIP List.

Participation in both lists is optional. The vendor may elect to not be listed.


Mark Minnoch is the creator of the FIPS HACKER Lab Report, the definitive source for historical performance information, expert guidance, and actual FIPS customer feedback.

New NIST Fees for FIPS 140-2 Certificates on Oct 1, 2016

The Cost Recovery (CR) fees for new and modified FIPS 140-2 cryptographic module submissions changed on October 1, 2016.

IG G.8 Scenario 5 Fees:

CR Fee

Security Level 1

$6000

Security Level 2

$8000

Security Level 3

$11000

Security Level 4

$15000

All of the CR Fees for IG G.8 Scenario 5 have increased.

The CR Fee for an IG G.8 Scenario 3 has increased to $3000.

The CR Fees for IG G.8 Scenarios 1A and 1B have decreased to $1500 (for all Security Levels).

IG G.8 Scenario descriptions may be found here: IG G.8 Scenarios 1A, 1B, 3 and 5.

The updated CR Fee pricing is posted in the Notices section of the CMVP website.


Mark Minnoch is the creator of the FIPS HACKER Lab Report, the definitive source for historical performance information, expert guidance, and actual FIPS customer feedback.

FIPS certificate totals for 2nd Quarter 2016

From 2011 to 2015, the CMVP issued an average of 208 new FIPS 140-2 certificates each year. With 72 certificates issued during the 2nd Quarter 2016, we are seeing a large spike in the number of completed validations. Here is the performance chart showing the certificate totals by lab for last quarter.

Cert. Totals by Lab Q2 2016


Here are the results for the past year.

Cert. Totals by Lab past year

For more charts, lists, and expert guidance, please download my FIPS HACKER Lab Report – 2nd Quarter 2016.


Mark Minnoch is the creator of the FIPS HACKER Lab Report, the definitive source for historical performance information, expert guidance, and actual FIPS customer feedback.

FIPS module for OpenSSL 1.1 in the works

SafeLogic has some exciting news to share today. With SafeLogic’s commitment to the project, the OpenSSL development team will create a FIPS 140-2 validated module for OpenSSL 1.1 after all.

I am excited to be involved in the next FIPS 140-2 cryptographic module validation for OpenSSL 1.1. This will be the most important FIPS 140-2 validation in the program history.

The OpenSSL development team is responsible for the coding of the FIPS module. SafeLogic is the leading sponsor of the project providing consulting, documentation services, and project management. Acumen Security is providing the FIPS 140-2 Laboratory testing services.

OpenSSL’s announcement

SafeLogic’s announcement 

Acumen Security’s announcement

Please contact me if you have questions.


Mark Minnoch is leading the OpenSSL 1.1 FIPS Module validation at SafeLogic. Please contact him if you would like to contribute to the success of this project.

https://www.linkedin.com/in/minnoch

Format-preserving encryption (FPE) in the FIPS Approved mode of operation

The FIPS 140-2 Implementation Guidance (A.10) now includes vendor affirmation requirements for the format preserving encryption schemes (FF1, FF3) specified in SP 800-38G.

As its name suggests, format preserving encryption transforms plaintext to ciphertext of the same format and length. For example, format preserving encryption may be used for a legacy application that needs to protect 16-digit credit card numbers and 9-digit social security numbers in a database without having to change their storage allocations.

Until CAVP testing is available, vendors will need to complete CAVP testing for the underlying AES algorithm, make documentation updates, and affirm compliance to SP 800-38G to support format preserving encryption in the FIPS Approved Mode of Operation.

If you have a requirement to provide format preserving encryption to your customers that require FIPS 140-2 validated cryptography, then please contact me today.

Mark Minnoch is a Technical Account Manager at SafeLogic. Please contact him if you have plans for format preserving encryption or any other crypto requests.

Heartbleed put the Heartbeat back in OpenSSL

During Tim Hudson’s presentation – An Overview of OpenSSL – at the ICMC in Ottawa (May 19, 2016), Tim argued that the Heartbleed Bug was actually a good thing for OpenSSL and developers using crypto. 

After talking with Tim later that evening, I am absolutely convinced this is true. Two years after the Heartbleed vulnerability, the OpenSSL project has drastically improved the 3 P’s: people, processes, and product.

This revelation, I felt, was worthy of a blog post on FIPS Hacker since OpenSSL is the most popular crypto library in the universe. As good fortune would have it, Juha Saarinen already penned an excellent article titled: Stemming Heartbleed with the human element

Mark Minnoch is a Technical Account Manager at SafeLogic. Our CryptoComply FIPS module is drop-in compatible with OpenSSL.

FIPS 140-2 for Newbies

Here is a collection of links to information about FIPS 140-2:


A software engineer’s guide to encryption: How not to fail (written by Luther Martin of HPE) provides a good overview of the importance of FIPS 140-2.


The FIPS 140-2 Publication has some good introductory material.

It is easy to get bogged down attempting to read start-to-finish. I suggest that you begin by quickly reading the following sections:

  • Section 1 – Overview
  • Section 1.1 – Security Level 1
  • Section 3 – Functional Security Objectives

The CMVP landing page answers the following questions:

  • What is the purpose of the CMVP?
  • What is the applicability of CMVP to the US government?
  • How does Common Criteria (CC) relate to FIPS 140-2?

The SafeLogic team partnered with Champion Research to learn more about the FIPS 140-2/CMVP experience. This information is available from SafeLogic’s Whitepapers page.


My “FIPS Hacker” July 2015 blog posts contain information about accelerating your FIPS project and common acronyms.


If this is your first FIPS project or you are looking for a new FIPS Lab, then I created the FIPS HACKER Lab Report specifically for you.


I am happy to be a resource to you. Please contact me.

Mark Minnoch is a Technical Account Manager at SafeLogic. Our CryptoComply FIPS module can accelerate your FIPS project.