Speaker TBA A validated module is required to be tested for FIPS 140-2 conformance by the accredited lab under the claimed operational environment. If there is any change within the module or operational environment that has not been tested during the module’s validation, the CMVP requires the module to be reviewed by the CST lab and revalidated according to the instructions described in FIPS 140-2 IG G.8. Some changes in the module can result updating the existing certificate, but some changes in the module require to be retested that is almost equivalent to a full validation. Also, if the vendor needs to update the validated module for a security flaw correction or for some publicly known security vulnerabilities, the extent of the modification of the validated module is required to be revalidated and the CMVP processing time can be up to several months. This presentation will describe how to handle changes made in a module, porting the module to operate in a new operational environment that has not been tested, and discuss the solutions to the urgent revalidation submission, including defining a small cryptographic boundary during the module’s validation and joining the CMUF working group to work with CMVP to address the urgent revalidation scenario. The goal of this presentation is to help vendors to have a better understanding of the CMVP requirements of maintaining the FIPS certificates and the revalidation requirements in FIPS 140-2.

End-User Experience Track