CVE Got Your FIPS Module?

Q: I need to apply a fix to my FIPS 140-2 module to address a CVE. What process do I follow to maintain my FIPS 140-2 certificate?

The Implementation Guidance for FIPS 140-2 document, G.8 Revalidation Requirements, addresses this scenario.

Alternative Scenario 3A allows you to quickly revalidate a FIPS module in response to CVEs. (This post assumes that the CVEs require security-relevant changes to your FIPS cryptographic module.)

To maintain assurance that your module still meets the FIPS 140-2 requirements, a source code review, operational testing, and (potentially) algorithm testing are required. These are the same steps you performed as part of your original FIPS validation effort.

Q: What’s so great about Alternative Scenario 3A?

Three things:

  1. You are not required to address Implementation Guidance that has been published since your original validation. Whew.
  2. You save $4,000! A NIST fee is not required to update your FIPS 140-2 certificate with your new module version number.
  3. The CMVP typically approves Alternative Scenario 3A submissions much faster than other 3SUBs.

Q: What else do I need to know?

  • A new validation certificate will not be issued; your new module version is added to your existing certificate
  • The original Sunset Date on your certificate will not change (for modules on the active list)
  • The previous version of your module is no longer considered validated and will be removed from the certificate (an exception does exist)

Q: I’m ready to get started. What do I do now?

Contact your FIPS Consultant or FIPS Lab to begin the process. If you’re looking for help, then we would be happy to give you a hand.

We are happy to answer your questions about maintaining FIPS modules. Please contact [email protected]

KeyPair Consulting – expert guidance to meet your FIPS 140-2 goals