Fast-Tracking Software Validations (C21c)
Software modules are a critical component of the Federal Information Processing Standard (FIPS) 140-3 certification, constituting the majority of certified cryptographic modules. However, the complexity and length of the validation process present significant challenges, particularly for timely deployments and software updates.
This talk examines strategies to optimize the FIPS 140-3 validation process for software modules at Security Level 1, with a focus on reducing variability and ensuring a more streamlined, predictable validation process. It explores opportunities to enhance the testing and evidence-gathering process for the test report, based on well-defined requirements for Security Level 1 software modules. Topics include cryptographic module interfaces, typically represented by APIs; Sensitive Security Parameter (SSP) management and storage, often in volatile memory; and Operational Environment (OE) requirements, generally satisfied by general-purpose operating systems.
For FIPS 140-3 re-validations, the talk identifies sections of ISO/IEC 19790:2012 and ISO/IEC 24759:2017 where prior validation results can be reused. By minimizing regression testing, these approaches expedite the re-validation process, saving time and resources while maintaining compliance with FIPS 140-3.