pburkholder
commented
2 years ago Full text of letter:
JAB CSPs,
The FedRAMP PMO is writing to request that information be provided to your JAB representatives on the status of your crypto modules (CM). Please review the request below and respond within 30 days, no later than Monday, October 24, 2022.
Background:
In 2017, NIST announced that the algorithm to implement secure key establishment using asymmetric algorithms was going to be strengthened.
The new requirements were published in SP 800-56A Rev. 3 in April 2018.
Key exchange based on Rev. 3 was required by July 1, 2022.
On July 1, NIST moved hundreds of CMs based on SP 800-56A Rev. 2 to historical status.
Request for Information:
In order to determine the impact of this change of CMs to historical status, FedRAMP is asking for the following actions to take place:
CSPs should enumerate all the CMs in their environments, including the NIST validation certificate numbers.
For each CM, CSPs should note which of the CMs in their environment have been moved to historical status as a result of their status being changed on July 1, 2022.
For each instance where a CM has gone historic, the CSP must determine if the CM has had a new FIPS 140-3 submission for an update module submitted to NIST.
For each instance where a new CM has not been submitted to NIST, the CSP must determine if there are plans to submit a new CM to NIST and the timeline for that submission.
Breakdown of requirements due no later than Monday, October 24, 2022:
Review and implement the actions described above.
Upload your documented results based on the performed actions to your respective FedRAMP secure repository.
Email your JAB point of contact with notification of the completed actions and the location of the results.
Additional Information:
For any CM that has a new submission, the CSP may/should move to the CM that is in process with NIST. If there are other noted deficiencies/vulnerabilities with the historical CM, the CSO must move to the version of the product that is leveraging the CM that has been submitted to NIST for evaluation.
For any CM that will not have a new CM submitted for FIPS 140-3 testing, the CSP must develop a plan for moving away from the product that contains that CM. This will be a POA&M item and the plan and timeline will be evaluated and approved by the JAB review teams.
We appreciate your response to this request,
FedRAMP Program Management Office
mogul
In order to meet FEDRAMP's requirements for Crypto modules want, cloud.gov must address the requirements below:
Acceptance Criteria
Security considerations
[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]
Additional Information:
For any CM that has a new submission, the CSP may/should move to the CM that is in process with NIST. If there are other noted deficiencies/vulnerabilities with the historical CM, the CSO must move to the version of the product that is leveraging the CM that has been submitted to NIST for evaluation.
For any CM that will not have a new CM submitted for FIPS 140-3 testing, the CSP must develop a plan for moving away from the product that contains that CM. This will be a POA&M item and the plan and timeline will be evaluated and approved by the JAB review teams.