Certificate Maintenance: 3SUB vs 5SUB (G13a)
IG G8 details the criteria that a module must meet in order to be submitted under one of the revalidation submission scenarios. According to IG G8, a module with security related changes and/or modifications that are “less than 30%” can be considered as a scenario 3. However, if the changes are deemed more than 30% then the module must be submitted as a scenario 5 (Full submission). Scenario 3 is a popular revalidation scenario as certificate products evolve after the initial 5SUB. They cost less and require less time to complete the validation when compared to a scenario 5. Measuring the security related changes can be a difficult task because each change or modification made to the module is not weighed equally and may not directly map out to the FIPS 140-2 standard. To counter this problem, the presentation will provide a baseline for security related changes to help measure and weigh the changes and determine whether a modified module can be considered as a scenario 3 or 5. This presentation will explain the difference between security related and non-security related changes/modification and the options (Scenarios) available to the product developer.