The NCCoE’s Automation of the CMVP

Earlier today at the ICMC24, we heard from a panel about the US National Cybersecurity Center of Excellence’s (NCCoE) work on the Automated Cryptographic Module Validation Program (ACMVP), which intends to tackle the troublingly long queue times we’ve seen for a while. Currently, the temporary solution has been to issue interim certificates for modules that would need to wait in queue for months, possibly years. These interim certifications are only valid for two years with reduced assurance resulting from the decreased rigor in reviewing the submitted modules, however, which doesn’t fully accomplish the goals of requiring certification. The ACMVP aims to improve the efficiency of the validation process via automation to address the growing queue length while still maintaining a high level of rigor, assurance, and the five years of certificate validity.

For the project, NCCoE pulled together experts from CMVP, testing laboratories, and vendors to tackle areas of the CMVP FIPS 140-3 validation process where automation can enhance efficiency, with a special focus on the test report. The ICMC panel discussions by the NCCoE’s ACMVP cover the completed work and future plans of all three workstreams (Test Evidence (TE), Protocol, and Research Infrastructure) and demonstrated the AMVP (Automated Module Validation Protocol) server’s capability of generating a Security Policy (SP). atsec co-leads the TE Workstream with the CMVP and we want to take this opportunity to elaborate on the three major accomplishments that have been completed by this workstream.

1. Classifying TEs

The TE Workstream classified test evidence into the following categories, depending on what needs to be checked, inspected, or tested, and how the vendor evidence (VE) is supposed to be provided:

  • SP-TEs, whose assessments are based on reviewing the vendor provided SP
  • OD-TEs, whose assessments are based on reviewing the vendor documentation other than the SP, such as design documents, user guidance, finite state module, etc.
  • SC-TCs, whose assessments are based on inspecting the module’s source code
  • FT-TEs, whose assessments are based on exercising/executing the module to cover functional testing

The above TE categories may be used in combination, and help ensure clear, consistent, and structured filing in lab-provided TE assessments.

2. Filtering non-applicable Assertions (ASs) and their related TEs and VEs

The TE Workstream provided TE filtering criteria based on the module specification, such as security level, module type, embodiment type. The filtering rule also takes into consideration supplemental module information that the CMVP currently asks for but is not yet incorporated in the report template generation by Web Cryptik. Being able to filter TEs based on the module characteristics results in the list of TEs for labs to fill in being shortened, leading to clearer and more concise reports.

3. Unifying the SP and the test report in JSON

The TE Workstream translated the CMVP’s current SP template from the hybrid combination of a Word file skeleton with JSON tables to JSON only. This new structure facilitates the JSON report directly referencing the needed content in the JSON SP, and this will be the first time the Security Policy is written entirely using JSON and the first time the AMVP server can generate a matching SP PDF from the JSON SP.

The TE Workstream extends the reference-based reporting from SP-TEs to all TEs. To achieve this goal, they are working on an evidence catalog file that is also in JSON to capture descriptions of evidence for OD-TEs, SC-TEs, and FT-TEs. It is the first time a test report can reference a well-structured evidence catalog, which contains the SP JSON for SP-TEs, as well as evidence descriptions for other categories of TE. These shifts will reduce redundancy and eliminate the root cause of inconsistency by using the single data entry principle, where information is entered and maintained in the evidence catalog file and that data is pulled by other documents. The new JSON format for everything contributing to a module submission enables automating the checks for existence and completeness of the evidence catalog in relation to the test report.

These major improvements also have short-term impacts to the current CMVP, as creating them generated suggested changes for the CMVP’s current guidance on TEs that rely on verifying vendor documentation instead of functional testing or source code review.

And things won’t stop there! The TE Workstream is still working diligently to improve TE filtering coverage, further develop test method recommendations for function testing TEs, and finalize the JSON structure for the test evidence catalog. The end goal is to allow for an evidence catalog that can be easily referenced by testers when the CMVP reviewers ask for specific TE evidence while also demonstrating the correctness of the evidence to the reviewers.

Coupled with today’s ICMC panel discussion, the NCCoE published documentation about the ACMVP on their website for public review.

About a year ago, atsec made a short animation video clip and played it at the opening of ICMC23, pointing to the direction that the NCCoE ACMVP was heading. It’s worth revisiting the lighthearted clip for a high-level understanding of the new structure – we also think you’ll get a good laugh out of it. Many things illustrated in the clip have already been implemented, and the project is planned for completion in 2025.

https://www.atsec.cn/downloads/media/shortening_the_fips_queue_through_automation%20(720p).mp4

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/430852.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Flink 与 Kubernetes (K8s)、YARN 和 Mesos集成对比

Flink 与 Kubernetes (K8s)、YARN 和 Mesos 的紧密集成,是 Flink 能够在不同分布式环境中高效运行的关键特性。 Flink 提供了与这些资源管理系统的深度集成,以便在多种集群管理环境下提交、运行和管理 Flink 作业。Flink 与 K8s、YARN 和 Mesos 集成的详…

百度Android IM SDK组件能力建设及应用

作者 | 星途 导读 移动互联网时代,随着社交媒体、移动支付、线上购物等行业的快速发展,对即时通讯功能的需求不断增加。对于各APP而言,接入IM SDK(即时通讯软件开发工具包)能够大大降低开发成本、提高开发效率&#…

数据结构:(OJ141)环形列表

给你一个链表的头节点 head ,判断链表中是否有环。 如果链表中有某个节点,可以通过连续跟踪 next 指针再次到达,则链表中存在环。 为了表示给定链表中的环,评测系统内部使用整数 pos 来表示链表尾连接到链表中的位置(…

C++ | Leetcode C++题解之第420题强密码检验器

题目: 题解: class Solution { public:int strongPasswordChecker(string password) {int n password.size();bool has_lower false, has_upper false, has_digit false;for (char ch: password) {if (islower(ch)) {has_lower true;}else if (isu…

渗透测试综合靶场 DC-2 通关详解

一、准备阶段 准备工具如Kali Linux,下载并设置DC-2靶场机。确保攻击机和靶机在同一网络段,通常设置为桥接模式或NAT模式。 1.1 靶机描述 Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in …

面试知识点总结篇二

一、makefile链接库参数 LIBS -L/path/to/lib -lmylib//,-lmylib会链接名为libmylib.so或libmylib.a的库。all: myprogrammyprogram: myprogram.ogcc -o myprogram myprogram.o $(LIBS)//此处使用myprogram.o: myprogram.cgcc -c myprogram.c二、shell指令 Shell…

高性能分布式搜索引擎Elasticsearch详解

♥️作者:小宋1021 🤵‍♂️个人主页:小宋1021主页 ♥️坚持分析平时学习到的项目以及学习到的软件开发知识,和大家一起努力呀!!! 🎈🎈加油! 加油&#xff01…

在线相亲交友系统:寻找另一半的新方式

在这个快节奏的时代里,越来越多的单身男女发现,传统意义上的相亲方式已经难以满足他们的需求。与此同时,互联网技术的迅猛发展为人们提供了新的社交渠道——在线相亲交友系统作者h17711347205。本文将探讨在线相亲交友系统如何成为一种寻找另…

MYSQL基础语法

1-什么是数据库 数据库就是保留数据的仓库,体现在电脑当中,是一个软件或者是文件系统。然后把这些数据都保存在特殊的文件中,然后使用固定的语言(SQL语句)去操作文件中的数据。 2-数据库的优点 数据库是按照特定的格…

Spring MVC 基本配置步骤 总结

1.简介 本文记录Spring MVC基本项目拉起配置步骤。 2.步骤 在pom.xml中导入依赖&#xff1a; <dependency><groupId>org.springframework</groupId><artifactId>spring-webmvc</artifactId><version>6.0.6</version><scope>…

Activiti7《第九式:破气式》——流畅驱动工作流进程。面试题大全

冲冲冲&#xff01;开干 这篇文章将分为九个篇章&#xff0c;带你逐步掌握工作流的核心知识。“破气式”&#xff0c;代表着工作流中的 无形之力&#xff0c;它是贯穿整个流程的 关键驱动 不知不觉已经到了独孤九剑最后一式了&#xff0c;我相信到这里之后各位都已经出神入化…

成功使用DDNS动态域名访问我的群晖NAS(TP-link路由器)

当NAS设备部署在动态IP环境中&#xff08;如家庭或小型办公室宽带&#xff09;&#xff0c;远程访问常常受到IP地址频繁变动的困扰。为了解决这一问题&#xff0c;结合神卓互联NAS公网助手提供的DDNS&#xff08;动态域名服务&#xff09;功能&#xff0c;我们可以轻松实现通过…

EasyGBD国标GB28181设备端,支持GB28181-2016、GB28181-2022

功能概要&#xff1a; 功能概述&#xff1a;EasyGBD是GB/T28181 Device的简称&#xff0c;指国标GB28181协议的设备端。EasyGBD功能组件支持Windows、Linux、Android、iOS、ARM等所有平台&#xff0c;可兼容国标GB28181-2011、GB28181-2016的全部功能。 操作系统&#xff1a;任…

医院监护病房智慧ICU远程探视双向对讲为医院带来什么?

随着信息技术的进步和社会对医疗服务要求的不断提高&#xff0c;医院在努力提升服务质量的同时&#xff0c;也在积极寻求更科学有效的管理手段。全视通智慧医院解决方案下有十几个业务系统&#xff0c;主要专注于医院信息化系统&#xff0c;针对于智慧门诊、智慧病房、智慧手术…

玩转腾讯混元大模型——带您解读各个功能

自从2022年的OpenAI公司推出chatGPT人工智能聊天机器人&#xff0c;从此人工智能大模型便在各国可所谓风靡一时&#xff0c;不断涌现出各种各样的大模型&#xff0c;深得用户喜爱。然而在此领域中&#xff0c;腾讯也研发出了自己的大语言模型&#xff0c;下面我们一起来了解一下…

C#基础(11)函数重载

前言 前面我们已经完成了ref和out补充知识点的学习&#xff0c;以及函数参数相关的学习&#xff0c;今天便再次为函数补充一个知识点&#xff1a;函数重载。 函数重载是指在同一个作用域中&#xff0c;可以有多个同名函数&#xff0c;但参数列表不同。它的发展可以追溯到早期…

一.python入门

gyp的读研日记&#xff0c;哈哈哈哈&#xff0c;&#x1f642;&#xff0c;从复习python开始&#xff0c; 目录 1.python入门 1.1 Python说明书 1.2 Python具备的功能 1.3 学习前提 1.4 何为Python 1.5 编程语言 2.Python环境搭建 2.1 开发环境概述 2.2 Python的安装与…

【开发心得】筑梦上海:项目风云录(5)

写这个长篇的目的&#xff0c;前文已经说过。就这个目的而言&#xff0c;这里会更多的讲项目中存在的风险和应对&#xff0c;假如你正在做项目或者打算从事软件项目管理&#xff0c;可以一起交流讨论一下。 目录 小娇的离去 管人的大忌 理解甲方的立场 时刻表的诞生 未完…

dotnet4.0编译问题

因为最近在写cobaltstrike的execute-assembly内存加载的c#项目 用visual studio2022编译&#xff0c;最低net只能用6.0版本的&#xff0c;并且execute-assembly不支持 我想使用4.x版本进行编译&#xff0c;因为visual studio不支持&#xff0c;那么使用命令行进行编译 因为要用…

np.pad实现零填充

np.pad 是 NumPy 中用于对数组进行填充的函数&#xff0c;它可以在数组的不同维度上添加指定数量的值。 X&#xff1a;输入的 NumPy 数组。通常是一个 4 维数组&#xff0c;可能表示图像数据&#xff0c;形状为 (batch_size, height, width, channels)&#xff0c;例如 (样本数…