Maintaining a FIPS 140-2 Certificate

I often receive questions about maintaining a FIPS 140-2 certificate after changes are made to the module. Here is some information from the trenches for those not familiar with the process.

There are 8 different scenarios (1, 1A, 1B, 2, 3, 3A, 4, 5) when making changes to a cryptographic module. I’ll cover the most common scenarios. Additional details are found in the FIPS 140-2 Implementation Guidance document, G.8.

1SUB – Modifications are made to hardware, software or firmware components that do not affect any FIPS 140-2 security relevant items. The vendor is responsible for providing the applicable documentation to the CST laboratory, which identifies the modification(s).

[Mark Minnoch] A “1SUB” (say “one-sub”) is a “maintenance” or “bug-fix” activity for the Lab. As an example, let’s consider the case of a vendor making source code changes only. The Lab reviews the source code to determine if any of the changes are security relevant. If the Lab confirms the changes are not security relevant, then a letter request is submitted to the CMVP to include the updated firmware (or software) version on the existing FIPS certificate. Note: A NIST fee is not required.

There are two alternative scenarios for 1SUBs.  Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. Note: A $2000 NIST fee is applicable for Alternative Scenarios 1A and 1B.

3SUB – Modifications are made to hardware, software or firmware components that affect some of the FIPS 140-2 security relevant items. An updated cryptographic module can be considered in this scenario if it is similar to the original module with only minor changes in the security policy and FSM, and less than 30% of the module’s security relevant features.

[Mark Minnoch]  For a “3SUB” change, the Laboratory updates the previous report submission to include the changes and also to confirm that the required regression testing was completed. This testing is more involved than a 1SUB but typically less effort than a new validation. The Lab considers service changes, algorithm changes, hardware changes, etc. in determining the 30% threshold limit for security relevant changes. Note: A $4000 NIST fee is applicable for a 3SUB sub.

There is an alternative scenario for 3SUBs.  Alternative Scenario 3A provides a path to quickly fix, test, and revalidate a module that is affected by a security relevant CVE (Common Vulnerability and Exposure). This path does not require the vendor to address Implementation Guidance that has been published since the original validation. See CVE Got Your FIPS Module? for more details. Note: A NIST fee is not applicable for an Alternative Scenario 3A submission.

5SUB – If modifications are made to hardware, software, or firmware components that do not meet the above criteria, then the cryptographic module will be considered a new module and must undergo a full validation testing by a CST laboratory.

[Mark Minnoch]  A “5SUB” is commonly referred to as a “validation” or “full validation.” The Laboratory submits a full validation test report package after completing all of the testing tasks. Note: A $8000 (Level 1) or $10000 (Levels 2-4) NIST fee is applicable.


We are happy to answer your questions about maintaining FIPS modules. Please contact mark@KeyPair.us

KeyPair Consulting – expert guidance to meet your FIPS 140-2 goals

Leave a Reply

Your email address will not be published.