ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your organization is evaluating a third-party encryption software library for integration into a medical device's firmware. To ensure the library's cryptographic implementation has been independently tested and meets U.S. federal security requirements, which certification or attestation should you request from the vendor?

An ISO/IEC 20000-1 certification for IT service management
A PCI DSS Report on Compliance (ROC) from a Qualified Security Assessor
A SOC 2 Type II attestation report based on the AICPA Trust Services Criteria
A FIPS 140-3 validation certificate issued under the NIST Cryptographic Module Validation Program

Report Issue

Answer Description

The Federal Information Processing Standard (FIPS) 140-3 validation, issued through NIST's Cryptographic Module Validation Program (CMVP), is specifically designed to assess and certify cryptographic modules used by federal agencies and regulated industries. A valid FIPS 140-3 certificate demonstrates that the library's cryptographic algorithms, design, and implementation have been tested and approved by an accredited laboratory against stringent security requirements.

ISO/IEC 20000-1 addresses IT service management, not cryptographic strength. A SOC 2 Type II report evaluates a service organization's controls over security, availability, processing integrity, confidentiality, and privacy, but does not certify cryptographic modules. A PCI DSS Report on Compliance focuses on payment card data security for merchants and service providers, not on validating cryptographic libraries. Therefore, only a FIPS 140-3 certificate directly satisfies the requirement for validated cryptographic implementation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.