CMUF

Welcome to the Cryptographic Module User Forum

The Cryptographic Module Users Forum (CMUF) was founded in 2013 and is a non-profit community based around those working with and validating the security for cryptographic modules.

We invite you to join the free CMUF Collaboration Tool.

Cryptographic Module User Forum Governance


1. Mission

 
The Cryptographic Module User Forum (CMUF) mission is to provide a platform for practitioners in the community of UNCLASSIFIED Cryptographic Module (CM) and UNCLASSIFIED Cryptographic Algorithm (CA) Validation Programs (VP). The forum aims to facilitate the communications among crypto module and algorithm developers, vendors, test labs and other interested parties, and the various national, international, and multi-lateral organizational committees, government agencies, and policy makers. In order to further the CMUF mission, our objectives are to improve and promote CM usage and resolution of issues and concerns by seeking to:

Enable focused technical working groups to address issues of interest to the community, e.g., reference standards for testing correct implementation of cryptographic algorithms.
Develop and promote meaningful certification processes which help to assure customers of developed/tested/validated/certified modules.
Encourage viable policies and processes for maintaining certification through module/product updates.
Assess the validation process and provide the community perspective regarding time, effort, and cost required to complete validations/certifications which lead to appropriate levels of security in CMs.
Support and foster the goal of worldwide mutual recognition of tested/validated/certified CMs.
Not address issues related to the quality or fitness for purpose of any particular cryptographic algorithm or security function.
Not promote particular vendor solutions or products.
 

2. Principles of Operation

a The CMUF will seek to operate within the guidance of these Principles and will refrain from actions, or inactions, which would contradict these Principles.
b The operation of CMUF will be independent of any influence imposed by any Government or Validation/Certification Authority.
c The CMUF will provide an open forum for a broad spectrum of participants.
d The CMUF will accept any member who joins and participates in good faith.
e The CMUF will not favor any group or interest within its membership.
f The CMUF will facilitate the formation of technical working groups of a specific topic. These groups may be publicly or privately accessible to the entire CMUF membership and will operate within the CMUF Principles of Operation, subject to direction from the CMUF Steering Committee (SC).
g The CMUF will consider the expression and consideration of minority opinions and interests.
h The CMUF may address issues which are also being addressed by other organizations or groups.
i The CMUF will maintain its independence and identity in order to adhere to these principles.
j The CMUF will remain vigilant to ensure that no single group acquires undue influence within the CMUF which would contravene these Principles.
k CMUF members must not take part in discussions which may give rise to accusations of collusion, monopolistic, anti-trust or anti-competitive behavior.
l The CMUF should not allow the discussion of inappropriate topics or the sharing of confidential intellectual property in the form of proprietary information and should encourage its members to formally object to such discussions. Any complaints about such inappropriate discussions should be sent to sc@cmuf.org.
 

3. CMUF Membership

a Membership in the CMUF is free and open to all with an interest in unclassified cryptographic modules and unclassified cryptographic algorithms including, but not limited to acquirers and users of CM products; module/product vendors; validation/certification authorities; national, international and multi-lateral policy makers; consultancies; test labs; academia; and individuals.
b Membership is effectively maintained by allowing access to online CMUF collaboration tools.
c The CMUF portal administrator does not have influence over the potential membership of a group member.
d CMUF members are expected to follow the CMUF Principles of Operation.
e Donations of time and effort from members to keep the CMUF operational are required.
Monetary donation is appreciated but will have no impact on the independence of the CMUF.
 

4. CMUF Steering Committee (SC)

a The SC consists of a few CMUF members with profound knowledge in CMVP and CAVP. The participation in SC is voluntary-based. While SC is open for new members, a prospective candidate must be an experienced IT security professional and have a concrete plan to improve CMUF. An email application may be sent to sc@cmuf.org for review. The candidate will be informed with the SC’s decision in a timely manner.
b Broad guidelines for SC membership:
  • An SC member must be knowledgeable in FIPS 140-3 and its related standards, Implementation Guidance, Management Manual, and have at minimum five years of experience in security testing and evaluation.
  • The SC will be comprised of up to ten (10) members - representation split equally between labs and vendors/consultants.
  • An organization may have one (1) member on the SC.
  • Each SC member may designate one representative from his/her organization as a “back-up” for the purposes of sharing workload. The members should notify the SC about their back-ups. This individual may attend the SC meetings when the member is not able to. However, the back-up person must be informed of the SC’s role within the CMUF and in meetings represent the goals and agenda of the SC. If possible, the designee should have the applicable CMUF knowledge.
  • Information internal to the SC (e.g., meeting preparation notes, discussion notes on the draft CMVP guidance) shall not be used to gain a competitive advantage for a member’s organization. Such information shall not be shared outside of SC before it has been approved by the SC. Only then can it be made available to all CMUF members via the CMUF portal.
c The role of the CMUF SC is to operate the CMUF in accordance with the guiding principles with minimal operational overhead.
d The responsibilities of the CMUF SC include but are not restricted to:
  • Act as a liaison to CMVP, CAVP and ISO/IEC 19790 and ISO/IEC 24759 WG
  • Organizes the CMUF meetings and capture minutes from those meetings
  • Lead or support CMUF Working Groups (WG)
  • Contribute to the ICMC

5. CMUF Meetings

a The CMUF will have a face to face meeting yearly, which is likely to coincide in time and location with the annual International Cryptographic Module Conference (ICMC). The CMUF SC may decide to vary the arrangement and provide advance notice to the Membership.
b The CMUF will also have monthly e-meetings (usually with exception of July and December).
c Draft Agendas for CMUF meetings will be published by the CMUF SC and CMUF members will be able to request additional items to be added to such Agenda.
d Meeting notes of CMUF meetings will be published by the CMUF SC in a timely manner after the review and approval by the meeting speakers. Preferably have a draft by Friday following the meeting and post it by the Tuesday after the meeting.
e CMUF WGs may organize their own group meetings.
 
  Latest Updated Date: 2024-09-27, v4.0 of the Governance Document

Contact

Steering committee:
sc@cmuf.org

Website and Forum Admin:
admin@cmuf.org