NVLAP Program Checklist Template

By Sheila Ruiz,2014-06-23 08:34
8 views 0
NVLAP Program Checklist Template

Enter Date: Enter NVLAP Lab Code:



    Instructions to the Assessor: This checklist addresses specific accreditation requirements prescribed in NIST Handbook 150-17, Cryptographic and Security Testing. The numbering of

    the checklist items correlates to the numbering scheme in NIST Handbook 150-17, clauses 4

    and 5.

    Place an “X” beside any of the following items that represent a nonconformity. Place a “C”

    beside each item on which you are commenting for other reasons. Record the item number and your nonconformity explanation and/or comments on the appropriate comment sheet(s). Write "OK" beside all other items you observed or verified as compliant at the laboratory.

    Also fill out all of the checklists associated with the laboratory‟s scope. Please note that there

    are no additional requirements for 17BCS Basic Cryptographic and Security Testing outside those listed in the main body of the NIST Handbook 150-17. Therefore, there is no additional

    checklist for this area. The additional requirements for the other test methods are addressed in their corresponding checklists. These checklist items follow the clauses in Annex A:

    (a) Cryptographic Algorithm Validation: CAV - 17CAV CHECKLIST

    (b) Cryptographic Modules Software: CMS - 17CMS CHECKLIST

    (c) Cryptographic Modules Hardware: CMH - 17CMH CHECKLIST

    (d) Personal Identity Verifier: PIV - 17PIV CHECKLIST

    (e) General Services Administration Precursor: GSAP - 17GSAP CHECKLIST

    (f) Secure Configuration Automation Protocol: SCAP - 17SCAP CHECKLIST

4 Management requirements for accreditation

    4.1 Organization

     4.1.1 To avoid any conflict of interest, the laboratory policies and procedures

    shall ensure that neither the applicant laboratory nor other divisions

    within their parent corporation can perform conformance testing if is

    currently providing or has previously provided consulting services to the

    vendor for the SUT (e.g., develop testing evidence, design advice).



     4.1.2 For any other services of the laboratory‟s parent corporation not listed in

    the subclause 4.1.1, the laboratory shall have an explicit policy and a set

    of procedures for maintaining a strict separation, both physical and

    electronic, between the laboratory testers and company‟s consultant

    teams, product developers, system integrators, and others who may

    have an interest in and/or may unduly influence the testing outcome.

     4.1.3 A CST laboratory shall have no financial interest for the work performed

    under the present scope of accreditation other than its conformance

    testing and/or validation fees.

     4.1.4 The laboratory shall not perform conformance testing on a module for

    which the laboratory has:

     a) designed any part of the SUT,

     b) developed original documentation for any part of the SUT,

     c) built, coded or implemented any part of the SUT, or

     d) any ownership or vested interest in the SUT.

     4.1.5 A CST lab may take existing vendor documentation for an existing SUT

    (post-design and post-development) and consolidate or reformat the

    existing information (from multiple sources) into a set format. If this

    occurs, the validation programs shall be notified of this when the

    conformance test report is submitted.

     4.2 Management system

     4.2.1 The policies and procedures shall specify how proprietary information will

    be protected from persons outside the laboratory, from visitors to the

    laboratory, from laboratory personnel without a need to know, and from

    other unauthorized persons.

     4.2.2 The laboratory shall comply with all policies and procedures to ensure

    technical integrity of the conformance testing analyses and results.



     4.2.3 The quality system shall provide a policy and procedures to ensure

    routine checks of the competence of the staff involved in the conduct and

    evaluation of the conformance testing.

     4.2.4 The reference documents listed in 1.4, Annex A of the HB 150-17, and

    the program‟s website, as well as any other standards and publications

    related to the CST LAP, shall be available to all appropriate personnel at

    all times.

    4.3 Document control

     The quality manual and related documentation shall include procedures

    and policies for handling software and maintaining the software‟s integrity

    according to the copyright and secrecy status.

    4.4 Review of requests, tenders and contracts

     4.4.2 If the laboratory conducts testing at client sites or any selected site other

    than the laboratory‟s site accredited for conformance testing, the site

    shall meet all requirements pertinent to the conformance testing of the

    SUT as the accredited testing laboratory.

    NOTE The laboratory may use checklists and/or contract agreements to satisfy

    this requirement.

     4.4.3 Policies for document storage and maintenance of contracts under

    confidentiality, non-disclosure agreements, marked as secret, or

    copyright protected, shall be well defined according to the document‟s


    These documents shall be protected commensurate with their

    classification and/or sensitivity, and access to them shall be given only to

    authorized personnel.



     4.4.4 The testing laboratory and client shall agree in writing what constitutes

    the System Under Testing (SUT) and what constitutes the environment

    within the SUT.

    [For this program, the environment includes but it is not limited to:

     the specific test platform,

     the test configuration, and

     the external environment.]

    4.5 Subcontracting of tests and calibrations

     4.5.2 If subcontracting is used as a mechanism by which the laboratory fulfills

    and/or enhances the conformance testing process, the subcontracting

    laboratory shall employ either services provided only by NVLAP-

    accredited laboratories or by laboratories that satisfy all testing

    requirements as indicated in the NIST Handbook 150, NIST Handbook

    150-17 and all documents pertaining to the validation program.

    In the later instance, the subcontracting laboratory:

    a) shall justify the selection explaining why this particular subcontractor

    was selected and how the subcontractor satisfies the testing

    requirements; and

    b) shall assume full responsibility for the outcome of the conformance

    testing performed by the subcontractor.

    4.13 Control of records

    4.13.1 General Software and data protected by non-disclosure agreements or classified

    as confidential shall be stored according to the vendor and/or

    government requirements and commensurate with the data sensitivity,

    and access shall be granted only to the authorized personnel. An access

    log file shall be maintained.

    NIST HANDBOOK 150-17 CHECKLIST - DRAFT (REV. 2009-04-01) PAGE 4 OF 36

DATE: NVLAP LAB CODE: The testing laboratory shall take steps to ensure that no third party can

    gain access to on-line records or to hard copies of the records, either

    during, or after testing. If a client‟s system on which testing is conducted is potentially open to

    access by third parties, the testing laboratory shall ensure that the client

    controls the testing environment so that the third parties do not gain

    access to that system during testing. Laboratories shall maintain records of the configuration of test equipment

    and all analyses to ensure the suitability of test equipment to perform the

    desired testing.

    4.13.2 Technical records The final test results and/or the test reports generated using

    cryptographic or security testing tools for the SUT shall be kept by the

    laboratory following the completion of testing for the life of the SUT, or as

    specified by the client in writing. A copy of the final test results and/or the test reports generated using

    cryptographic or security testing tools for the SUT shall be submitted to

    the validation program.



5 Technical requirements for accreditation

    5.2 Personnel

     5.2.1 The laboratory shall maintain responsible supervisory personnel and

    competent administrative and technical staff that are:

    1. knowledgeable of all FIPS and NIST Special Publications (SP)

    listed as references in this handbook and on the CST LAP


    2. familiar with cryptographic terminology and families of

    cryptographic algorithms and security functions with particular

    emphasis on the FIPS-approved and NIST-recommended security

    functions, and

    3. familiar with the cryptographic and security testing tools as

    required by the laboratory‟s elected scope of accreditation.

     5.2.2 The laboratory shall maintain a list of the key personnel designated to

    satisfy NVLAP requirements, including their assigned roles and a brief

    summary of their latest training qualifications. The list shall include, but

    shall not be limited to:

    1. laboratory‟s director,

    2. Authorized Representative,

    3. Approved Signatories, and

    4. key technical persons in the laboratory.

     5.2.9 The laboratory shall have a competency review program and procedures

    for the evaluation and maintenance of the competency of each staff

    member for each test method the staff member is authorized to conduct.

    An evaluation and an observation of performance shall be conducted

    annually for each staff member by the immediate supervisor or a

    designee appointed by the laboratory director.

    A record of the annual evaluation of each staff member shall be dated

    and signed by the supervisor and the employee.



    5.3 Accommodation and environmental conditions

     5.3.4 If the laboratory is conducting multiple simultaneous validations, a system

    of separation between products of different customers and conformance

    testing activities shall be maintained.

     5.3.8 For all conformance testing and validations, the laboratory shall ensure

    that any file containing old results or old test programs on the SUT is

    isolated from the current test programs and test or validation results.

     5.3.9 If a laboratory must conduct conformance testing at the customer site or

    other location outside the laboratory facility, the environment shall

    conform, as appropriate, to the requirements for the laboratory site, and

    shall be checked by the NVLAP-accredited laboratory as a responsible

    party for the security of the environment and the integrity of all tests and

    recorded results.

    [For additional information see subclause 4.4.3 of NIST Handbook


    5.4 Test and calibration methods and method validation

    General 5.4.1

    When testing is performed at a client site, all NVLAP requirements

    pertaining to equipment and environment as they apply to the tests

    scheduled outside the laboratory‟s accredited location, shall apply.

    Moreover, only the personnel of the NVLAP-accredited laboratory shall

    perform all actions necessary to conduct the tests and record the results,

    including the loading, compiling, configuring, and execution of any of the

    mandated testing tools.



    5.5 Equipment

     5.5.2 For its scope of accreditation, the laboratory shall have appropriate

    hardware, software, and computer facilities to conduct cryptographic and

    security testing. This includes but is not limited to:

    a) required software test suites;

    b) testing equipment for physical tests; and

    c) all special equipment necessary to perform all tests derived from

    the most current version of the standard.

     5.5.5 For conformance testing, the laboratory shall own, load and run a copy of

    the testing tool(s) provided by the validation program and produce test

    results using the tool(s) as appropriate.

     5.5.7 For a given test tool, there may be no suitable validation service available

    outside the testing laboratory to which accreditation is applicable, and no

    suitable reference implementation that could be used by the testing

    laboratory to validate the test tool.

    In this situation, the testing laboratory shall define and document the

    procedures and methods that it uses to check on the correct operation of

    the test tool, and provide evidence that these procedures and methods

    are applied whenever the test tool is modified.

     5.5.8 The testing laboratory shall document and follow appropriate procedures

    whenever a test tool is suspected or found to contain errors which make

    the tool defective or unfit for use.

    These procedures shall include establishing that there is a genuine error,

    reporting the error to the appropriate maintenance authority, withdrawing

    the test tool or test case(s) from service, as appropriate, correcting the

    errors, and then revalidating the test tool, as appropriate.

    If the conformance testing results change for a SUT after correcting the

    test tool then the information shall be transmitted to the customer and

    validation authority.



     5.6 Measurement traceability

    5.6.1 General Test results produced by the testing laboratory shall be traceable to

    standard test suites when appropriate, or otherwise to the applicable

    authoritative test suite.

    5.6.2 Calibration Test tools Any test tool used to conduct cryptographic and security testing and

    which is not part of the unit under testing shall be studied in isolation to

    make sure the tool correctly represents and assesses the test assertions

    it claims. Validation of the use of the most current version of testing tools shall be

    assured before conducting a test. Test equipment Laboratories shall maintain records of the configuration of test equipment

    and all analysis to ensure the suitability of test equipment to perform the

    desired testing. If applicable, the equipment used for conducting the conformance tests

    shall be maintained and recalibrated in accordance with the

    manufacturer‟s recommendation, as often as the laboratory‟s equipment

    control charts indicate, or as specified in the test method, or as specified

    below, whichever results in shorter time periods between calibrations.

     Apparatus/Instrumentation Frequency

     ohmmeters annually

     voltmeters annually

     wattmeters annually

     oscilloscopes annually

     logic analyzer annually

     temperature chamber annually

     IBM-compatible computers annually

    NIST HANDBOOK 150-17 CHECKLIST - DRAFT (REV. 2009-04-01) PAGE 9 OF 36

DATE: NVLAP LAB CODE: All calibrations performed in the laboratory shall be executed by properly

    trained staff using calibrated standards, or through a contract with a

    competent external calibration service (see NIST Handbook 150,

    Annex B).

    All calibrations and characterizations shall be done against reference

    standards that are traceable to national standards maintained by NIST or

    by an equivalent foreign national standard authority. For calibrations performed in-house, the reference standards used and

    the environmental conditions at the time of calibration shall be

    documented for all calibrations. The calibration of the hardware and software shall be accomplished


    configuration management for all hardware and software, or

    a version control system.

    5.6.3 Testing The laboratory shall request the most current versions of the CST test

    tools from the respective program (e.g., CAVP, CMVP, NPIVP), NIST/ITL,

    or from NVLAP.

    No CST test tools provided by the accreditation or validation programs

    shall be redistributed outside the laboratory without written permission

    from the respective authority.

NIST HANDBOOK 150-17 CHECKLIST - DRAFT (REV. 2009-04-01) PAGE 10 OF 36

Report this document

For any questions or suggestions please email