ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your organization plans to integrate a third-party cryptographic library into a payment processing platform. To verify that the library's encryption implementation meets U.S. federal security requirements for cryptographic modules, which independent certification should you require from the vendor?

SOC 2 Type II attestation report based on the Trust Services Criteria
ISO/IEC 27001:2013 information security management system certification
Vendor-completed PCI DSS Self-Assessment Questionnaire (SAQ)
FIPS 140-3 validation certificate issued under NIST's Cryptographic Module Validation Program

Report Issue

Answer Description

The Federal Information Processing Standard (FIPS) 140-3 specifies security requirements for cryptographic modules used by U.S. federal agencies and many regulated industries. Validation through NIST's Cryptographic Module Validation Program (CMVP) confirms that a vendor's module has been independently tested and meets those requirements. ISO/IEC 27001 certifies an organization's overall information security management system, not the correctness of a specific cryptographic implementation. A SOC 2 Type II report attests to service-organization controls but does not assess cryptographic modules against federal criteria. A PCI DSS Self-Assessment Questionnaire is a self-attestation and focuses on payment card environments rather than rigorous cryptographic validation. Therefore, requesting a FIPS 140-3 validation certificate is the appropriate way to gauge the security of the third-party cryptographic library.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.