EFP/EFT Testing at Security Level 3 and 4 and Remote Testing Advocacy (C12a)
With the publication of FIPS 140-3, EFP/EFT testing was added as a FIPS 140-3 requirement at security level 3 security level. FIPS 140-2 was required at security level 4 but allowed for EFP/EFT as an augmentation to the security level 3 claim e.g., Physical Security: Level 3 +EFP. This meant that for vendors with modules already validated at FIPS 140-2 physical security at level 3, will now have to add additional test time to prepare and test for this requirement. In parallel, during the COVID-19 pandemic, the ICMC community (vendors, labs and the CMVP) learned that many tasks which previously required the tester to be physically present to be performed on a hardware module, could equally be performed using remote testing and that assurance could be obtained that the quality of required testing did not diminish. This presentation looks to review the EFP/EFT requirements and provide rationale to allow for remote testing by demonstrating how EFP/EFT testing can be accomplished remotely with the level of assurance as if the tester was physically present.