Status of Crypto Modules in Historical Status
December 22 | 2022
On July 1, 2022, many Federal Information Processing Standards 140 (FIPS 140) validated crypto modules (CMs) were moved to ‘historical status’ by the NIST Cryptographic Module Validation Program (CMVP) due to NIST SP 800-56A Rev 3, “Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography” transition. This comes after a 2017 NIST announcement to enhance the secure key establishment algorithm using asymmetric algorithms and an April 2018 release of the new requirements in SP 800-56A Rev 3.
How should Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs) address cryptographic modules (CMs) in historical status due to the SP 800-56A Rev 3 transition?
The following PMO guidance on the subject should be applied to each and every CM in use:
For initial authorization and continuous monitoring
CSP Actions:
- If a replacement CM has been submitted for testing or is listed as in-process with CMVP:
- Capture in the Plan of Action & Milestones (POA&M) as a vendor dependency. A CM that has been submitted for testing is acceptable, even if not yet listed on the CMVP in-process web site.
- If a replacement CM has not been submitted for testing, but is in development with plans to submit for CMVP testing:
- Determine that there are no known exploits of the existing CM.
- If there are no exploits:
- Capture it in the POA&M as a vendor dependency.
- Provide a replacement CM implementation plan and timeline to the Authorizing Official (JAB or Agency AO) for approval.
- If there is an exploit:
- Capture it in the POA&M as an open risk.
- Consider moving to a new CM.
- If a replacement cannot be identified or is otherwise not planned by the CM author:
- For systems in continuous monitoring, document a plan to transition to a new CM as an open POA&M and submit it to the Authorizing Official (JAB or Agency AO) for approval.
- For systems pursuing an initial authorization:
- If the 3PAO’s initial assessment is complete, redesign around a different CM and submit a project plan to the Authorizing Official (JAB or Agency AO) for approval.
- If the 3PAO’s initial assessment is not complete, redesign around a different CM, and complete the implementation, prior to the 3PAO assessment for an initial authorization.
3PAO Action:
- Review and confirm the status and remediation plan for CMs in historical status due to SP 800-56A Rev 3 transition.
For readiness assessments (to be considered for “FedRAMP Ready” designation)
CSP Actions:
- If a replacement CM has been submitted for testing or is listed as in-process with CMVP:
- Document this in the Mandates section in the Readiness Assessment Report (RAR). A CM that has been submitted for testing is acceptable, even if not yet listed on the CMVP in-process web site.
- If a replacement CM has not been submitted for testing, but is in development with plans to submit for CMVP testing:
- Determine that there are no known exploits of the existing CM.
- If there are no exploits:
- Provide evidence to the 3PAO for documenting in the RAR.
- If there is an exploit:
- Plan to replace the CM before pursuing FedRAMP Ready.
- If a replacement cannot be identified or is otherwise not planned by the CM author:
- Redesign around a different CM, and complete the implementation, prior to pursuing FedRAMP Ready.
3PAO Action:
- Review and confirm the status and remediation plan for CMs in historical status due to SP 800-56A Rev 3 transition.
- If a replacement CM has been submitted for testing, or is in development with plans to submit for testing:
- Document the status of CMs in the RAR at the end of the Mandates section.
- If a replacement cannot be identified or is otherwise not planned by the CM author:
- Do not submit the RAR to FedRAMP PMO. The CSP needs to redesign around a different CM, and complete the implementation before a RAR will be considered.
As a reminder, this guidance only applies to CMs that have become historical due to the NIST SP 800-56A Rev 3 transition.
Please contact info@fedramp.gov if you have any questions about these updates.