Kelvin Desplanque, Cryptographic Protocol Certification Specialist, Cisco Systems and Nick Goble, Technical Marketing Engineer, Cisco. The CMVP has a definition for what an OE (Operational Environment) is in relation to cryptographic algorithm testing. Depending on the module type the OE is formed from a combination of the CPU and the O/S running the crypto. Until recently, this was not a concern since most modules had only a single CPU and O/S. Recently the number of modules which run on general purpose computers and mobile platforms has increased dramatically. Consider the situation where a cryptographic software module has been designed to run on two desktop (Windows, Apple) and three mobile platforms (Android, Apple, Windows). Each of these OSs may have several versions and run on a range of processors. This would result in the number of required algorithm tests becoming astronomical.
In the Common Criteria scheme vendors could leverage off of NIAP Policy #5. This allowed for a single OE definition to cover a broad range of host platforms. Unfortunately this changed recently when NIAP revised the policy aligning it with the CMVP approach.
What is needed is a new way of defining the OE that is much closer to the reality of the situation. What we are proposing is a new definition for the OE which factors in considerations such as processor instruction set and operating system commonalities. This we hope will increase the speed and efficiency of the FIPS 140 validation process by eliminating unnecessary algorithm testing while at the same time not compromising FIPS validated module security.