A Call to CMVP for a New Type of FIPS 140 Certificate (C30a)
Very few vendors implement cryptography. At the heart of most certified modules is third party and open source cryptography. CMVP already allows vendors to use the “FIPS logo” if they use third party certified modules in their products and publishes a form for this. The speaker proposes that this is extended to allow vendors to engage with a test laboratory to test third party modules in their own operating environment and have this recognized by CMVP in a new certified module list, referencing the original certificate, but also the newly tested environment. This will meet several needs. It will reduce the certification workload, it will allow vendors to get more environments tested and will give more visibility to FIPS 140 compliance.