Equivalency Working Group Report (G23b)
Equivalence Working Group Mission statement
The Equivalence Working Group will work toward formulating recommendations, in the form of a draft Implementation Guidance (IG), which the CMVP finds acceptable to justify reducing the overall amount of testing.
1. Problem
a. In the case where a vendor wishes to group multiple hardware modules in the same report, and therefore on the same certificate, under what conditions can the lab perform limited operational testing on the group of modules and still provide the assurance that all of the modules meet the FIPS 140-2 standard?
b. What is the minimum set of “limited testing,” if any, that must be performed by the lab?
2. Solutions
a. Option 1: Test all modules
1) This can result in excess capital equipment costs as well as a time consuming and costly Operational Test. This is not practical or sustainable
b. Option 2: Develop an equivalence argument as part of the upfront analysis and submit the argument to the CMVP for review at the IUT stage.
1) This creates complex issues to write-up and for the CMVP to evaluate.
c. Option 3: Establish equivalency criteria that balance efficiency and expediency with assurance.
This session will discuss the reasoning that supports the IG’s equivalency criteria.