DGI Logo
spacer
contact >  
home >  
search >   		 company head

 Information on Re-Audit and Refresh Audit policy

Initial Audit

DEA requires systems that are used to process CSOS orders, the system developer or vendor must have an initial independent third party audit of the system.

Typically, commercial software vendor A will offer a CSOS product; embedded in the CSOS product is a FIPS certified cryptographic module from a separate commercial software vendor B. The corporate end user will purchase the CSOS Product from vendor A and require vendor A to provide proof that the CSOS Product was audited.

Drummond Certified audits are performed on pre-installed, off-the-shelf commercial software or in some cases on in-house built systems by the end-user. The Drummond Certified for CSOS certificate specifies the exact name and version of the CSOS Product. The certificate does not specify the name of the underlying FIPS certified cryptographic module, but the certificate does specify that a FIPS certified cryptographic module is embedded and is being used in FIPS mode. The date specified on the CSOS Audit Certificate and the Drummond Certified seal is the date the Certificate is issued. The CSOS Audit Certificate will be made publicly available and posted on the DGI website.

DGI will also provide a Final Report to the audited party which provides technical details of the CSOS Audit. DGI will only release the Final Report to the audited party, but the audited party is free to share the results with any third parties.

Re-Audit

The legal responsibility to determine when a product must be re-audited is on the Registrant (the corporate end user). The commercial software vendor has an implied responsibility to determine when the CSOS Product must be Re-Audited. DEA requires a secondary, additional audit whenever the signing or verifying functionality is changed for a CSOS Product.

DGI provides these guidelines to determine if a Re-Audit is necessary;

Re-Audit Guidelines:

  1. CSOS Product is changed to use a new version of the embedded FIPS validated security module.
  2. CSOS Product is changed to use a different embedded FIPS validated security module from a different vendor.
  3. CSOS Product is changed so that there is a difference in the use of the API (Application Programmatic Interface) between the CSOS Product and the embedded FIPS validated security module, which changes the methods or process of digital signature and or digital signature verification.
  4. CSOS Product is changed so that the methods or process of digital signing and or verification is changed, for example the digital signature algorithm is changed from RSA to DSA.

Re-Audit Process:

The process for Re-Audit is the same as the process for an original Audit. A new Final Report and a new CSOS Certificate will be created.

Refresh Audit

There are some situations where the software vendor/developer may want an updated certificate because they have either made product name with version name changes for purely marketing reasons or when they have made changes to their product which do not affect the key digital signature functions. In this situation, the commercial software vendor may desire to obtain an up-to-date certification which references the most recent version of their CSOS Product.

A Refresh Audit will verify that the key digital signature features have not changed...i.e. the embedded FIPS cryptographic module has not changed and the methods and process used to digitally sign an order, verify digital signature of an order and to store and use private keys have not changed. Refresh Audits will be executed remotely by DGI Auditors inspecting the new product version code and comparing to the Audited version. As with all DGI CSOS Audit processes, the software code will be held in complete confidentiality.

DGI provides these guidelines to determine if a Refresh Audit may be executed versus requiring a Re-Audit.

Refresh Audit Guidelines:

  1. For marketing purposes, or due to acquisition etc, the name of the product is changed but the code base of the product has not changed.
  2. For marketing purposes, the product will now be sold under more than one product name
  3. Functional changes are made to the product which do NOT involve changes to the key digital signature functions. For example, the CSOS Product adds significant new DEA reporting features out of scope for the audit and releases these changes in a new version of the CSOS Product.

Refresh Audit Process:

During the Refresh Audit DGI will:

  • Request necessary code and or screen shots that confirm:
    • The FIPS validated cryptographic module with version is the exact same product-with-version from the original audit
    • The API services invoked are the exact same API services as documented during the original audit
    • The methods and process for digital signature and verification of digital signature are the exact same methods as the original audit. The same cryptographic algorithms are being used, and are being invoked in the same manner
    • The methods used to store and communicate private keys are the exact same methods used during the original audit

  • DGI will provide an updated Final Report, that will contain an addendum explaining the Refresh Process, and that the new product name and or version is considered to be Drummond Certified for CSOS

  • DGI will publish a new CSOS Certificate that declares the new product name and or version is Drummond Certified for CSOS. Effectively, the Certificate will be exactly the same as the original certificate, only the date of audit and name/version of the product will change. As during the original audit, the date listed on the CSOS Certificate is the date the Certificate is issued.

Failed Audit

An Audit shall be deemed Failed if the Audited Party fails to successfully pass one or more of the Required Tests.

If the Audited Party schedules an additional onsite visit to complete the Audit, DGI will hold open the Final Report and will not issue a Final Report until the additional onsite visit is completed.

If the final result is that the Audit is still considered a Failed Audit:

  • The Audit Archive will be created and maintained confidentially
  • Final Report will be created and issued to Audited Party
  • DGI CSOS Certificate will NOT be issued
  • DGI CSOS Seal will NOT be issued


 

© 2008 Drummond Group, Inc.