Selecting A Maintenance Path
As you release new versions of previously certified and validated products, it is crucial that you develop a security certification maintenance plan to keep up with the evolution of your technology. Each security certification has its own unique requirements for maintenance and renewal. Corsec’s engineering team can help you understand the specific actions you will need to take for each of your products and certifications.
A FIPS 140-2 certification is valid for up to five (5) years on the version of the product that was tested. The FIPS 140-2 Implementation Guidance (IG) lists several possible change scenarios for re-validations; the changes, if any, made to your module will determine which scenario(s) apply. Corsec can help determine which scenario mostly closely aligns to the latest version of your product.
- Subsection 1 (1SUB): Non security relevant changes
- 1A – Rebranding an already validated OEM module
- 1B – Performing a 1SUB under a different Testing Lab
- Subsection 2 (2SUB): For modules that need to extend their sunset date and the modules has not changed/been updated and still meet current requirements
- Subsection 3 (3SUB): Security relevant changes were made to the module that affect no more than 30% of the module’s security relevant features
- 3A – To address CVEs (i.e. Heartbleed)
- Subsection 4 (4SUB): If changes were made to the enclosure but not to the functionality (i.e. Physical Security Updates)
- Subsection 5 (5SUB): If over 30% of the module’s security relevant features were changed
A Common Criteria certification is valid for up to five (5) years on the version of the product that was tested. Common Criteria allows version information to be updated through a process called Assurance Continuity (AC).
- For minor product changes, a vendor can perform “Assurance Maintenance,” a report that is attached as an addendum to the original product certification, as long as it is within two (2) years of the initial issuance date.
- For major changes to the target of evaluation (TOE), evidence needs to be submitted to a laboratory and the product needs to be re-evaluated. The re-evaluation process will result in a new certificate and new listing on the CC Portal.
A DoDIN APL listing is valid for up to three (3) years on the version of the product that was tested. In order to maintain a listing on the DoDIN APL, you must complete a Desktop Review (DR) for each major product version. In such a review, a high-level assessment determines whether the product listing will simply be updated with the new version identifier, whether minimal testing must be performed on the new version prior to receiving an updated listing, or whether the product must undergo a new evaluation in its entirety.
Keep Products Market-Ready
Corsec helps ensure that our partners continue to benefit from the efforts they put in initially to get their products certified or validated. Corsec’s Maintenance and Compliance Service helps you determine whether a full re-evaluation is necessary, or if you can pursue other measures to continue generating revenue from your initial certification or validation.
If you have questions on the requirements around your products’ recertification or revalidation, we can help determine the best path forward with little to no disruption of your revenue stream.