Q: I need to apply a fix to my FIPS 140-2 module to address a CVE. What process do I follow to maintain my FIPS 140-2 certificate?
The Implementation Guidance for FIPS 140-2 document, G.8 Revalidation Requirements, addresses this scenario.
Alternative Scenario 3A allows you to quickly revalidate a FIPS module in response to CVEs. (This post assumes that the CVEs require security-relevant changes to your FIPS cryptographic module.)
To maintain assurance that your module still meets the FIPS 140-2 requirements, a source code review, operational testing, and (potentially) algorithm testing are required. These are the same steps you performed as part of your original FIPS validation effort.
Q: What’s so great about Alternative Scenario 3A?
- You are not required to address Implementation Guidance that has been published since your original validation. Whew.
- You save $4,000! A NIST fee is not required to update your FIPS 140-2 certificate with your new module version number.
- The CMVP typically approves Alternative Scenario 3A submissions much faster than other 3SUBs.
Q: What else do I need to know?
- A new validation certificate will not be issued; your new module version is added to your existing certificate
- The original Sunset Date on your certificate will not change (for modules on the active list)
- The previous version of your module is no longer considered validated and will be removed from the certificate (an exception does exist)
Q: I’m ready to get started. What do I do now?
Contact your FIPS Consultant or FIPS Lab to begin the process. If you’re looking for help, then we would be happy to give you a hand.
We are happy to answer your questions about maintaining FIPS modules. Please contact mark@KeyPair.us
KeyPair Consulting – expert guidance to meet your FIPS 140-2 goals