OpenSSL FIPS 140-3 Module Update: Moving from "Review Pending" to "Coordination"

OpenSSL’s FIPS 140-3 module has progressed from the “Review Pending” phase to the “Coordination” phase on the NIST CMVP Modules-In-Process list. This change signifies that the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) have completed their initial examination of the module and are now collaborating with the OpenSSL team and the accredited testing laboratory on any remaining clarifications before final certification.

FIPS 140 (Federal Information Processing Standard Publication 140) is a U.S. government standard that defines the security requirements for cryptographic modules. Specifically, it ensures that these modules meet certain cryptographic and operational requirements to protect sensitive data and communications.

The FIPS 140 validation lifecycle involves several stages of review by the Cryptographic Module Validation Program (CMVP):

  1. Development and Testing – Module developers work with accredited labs to ensure cryptographic modules meet FIPS requirements.
  2. Submission and Review – The accredited labs submit their test reports and other documentation to NIST and the Canadian Centre for Cyber Security (CCCS) for validation.
  3. Coordination – Once initial reviews are completed, modules move from “Review Pending” to “Coordination.” At this point, relevant stakeholders (NIST, CCCS, the testing lab, and the module vendor) coordinate any final clarifications, documentation, and test results before a determination can be made.
  4. Final Validation – After successful coordination and resolution of any questions or issues, a module is approved. The formal certificate is issued, and the cryptographic module is listed as FIPS 140 validated.

Moving from the “Review Pending” stage to “Coordination” signals that:

  • Initial Review is Complete: The testing lab’s documentation and test results have undergone the preliminary review by the validating authorities (NIST and CCCS).
  • Further Clarifications May Be Required: NIST and CCCS might request clarifications, additional documentation, or specific changes. During “Coordination,” the involved parties work closely to address these points.
  • Closer to Finalization: This stage usually means the module is substantially on track, and once remaining questions are resolved, it can move to final validation.

For the OpenSSL community, this is a clear indicator that the OpenSSL FIPS 140-3 module is progressing well. While it does not carry an official “validated” status yet, we are through the longest part of the process and nearing the finish line.

Next Steps and How to Stay Informed

Continue monitoring these resources to stay current on validation status and anticipated release timelines: