FIPS Validation and Updates, Patches, and CVEs
We often get the question whether patching/updating a FIPS validation module (particularly when there is a significant security-related reason such as addressing a CVE) will invalidate that module’s FIPS status. The original version would maintain its validation but the new version that includes the patch/update would not be validated. Changing the code of the module results in that portion being untested and the CMVP is only able to make validation assurances for the tested configuration. As noted in our guidance:
The tested/validated module version, operational environment upon which it was tested, and the originating vendor are stated on the validation certificate. The certificate serves as the benchmark for the module-compliant configuration. (FIPS 140-2 IG G.5, FIPS 140-3 Management Manual 7.9)
However, we strongly recommend patching to safeguard the security of systems and data, noting that organizations must use their own Vulnerability, Patch and Risk Management programs, policies and procedures to make those decisions within the context of their organization. Simply, this is not a decision the CMVP has either the information necessary or the authority to make.
To reestablish those assurances as quickly as possible and minimize the risk, we also strongly recommend that vendors quickly have a CMVP certified lab test and submit an update for their module that reflects the patching/updating. The CMVP has an expedited processes in place to handle these updates when they are in response to a published CVE or a security relevant maintenance/bug fix (see FIPS 140-2 IG G.8 Scenario 3A, and FIPS 140-3 Management Manual 7.1.11 CVE).
To summarize, the CMVP would agree that quickly addressing a known risk and then following up with an expedited validation of the updated module is generally the best and recommended way to minimize the overall security risk for government agencies.
