FIPS Standard
4.5.5.2 Environmental Failure Testing Procedures (Alternative 2)
Environmental failure testing (EFT) shall involve a combination of analysis, simulation, and testing of a
cryptographic module to provide reasonable assurance that environmental conditions or fluctuations
(accidental or induced) outside the module's normal operating ranges for temperature and voltage will not
compromise the security of the module.
EFT shall demonstrate that, if the operating temperature or voltage falls outside the normal operating range
of the cryptographic module resulting in a failure of the electronic devices or circuitry within the module, at
no time shall the security of the cryptographic module be compromised.
The temperature range to be tested shall be from -100° to +200° Celsius (-150° to +400° Fahrenheit). The
voltage range to be tested shall be from the smallest negative voltage (with respect to ground) that causes
the zeroization of the electronic devices or circuitry to the smallest positive voltage (with respect to ground)
that causes the zeroization of the electronic devices or circuitry, including reversing the polarity of the
voltages.
Documentation shall specify the normal operating ranges of the cryptographic module and the
environmental failure tests performed.
4.6 Operational Environment
The operational environment of a cryptographic module refers to the management of the software,
firmware, and/or hardware components required for the module to operate. The operational environment
can be non-modifiable (e.g., firmware contained in ROM, or software contained in a computer with I/O
devices disabled), or modifiable (e.g., firmware contained in RAM or software executed by a general
purpose computer). An operating system is an important component of the operating environment of a
cryptographic module.
A general purpose operational environment refers to the use of a commercially-available general purpose
operating system (i.e., resource manager) that manages the software and firmware components within the
cryptographic boundary, and also manages system and operator(s) processes/thread(s), including general-
purpose application software such as word processors.
A limited operational environment refers to a static non-modifiable virtual operational environment (e.g.,
JAVA virtual machine on a non-programmable PC card) with no underlying general purpose operating
system upon which the operational environment uniquely resides.
A modifiable operational environment refers to an operating environment that may be reconfigured to
add/delete/modify functionality, and/or may include general purpose operating system capabilities (e.g., use
of a computer O/S, configurable smart card O/S, or programmable firmware). Operating systems are
considered to be modifiable operational environments if software/firmware components can be modified by
the operator and/or the operator can load and execute software or firmware (e.g., a word processor) that
was not included as part of the validation of the module.
If the operational environment is a modifiable operational environment, the operating system requirements
in Section 4.6.1 shall apply. If the operational environment is a limited operational environment, the
operating system requirements in Section 4.6.1 do not apply.
Documentation shall specify the operational environment for a cryptographic module, including, if
applicable, the operating system employed by the module, and for Security Levels 2, 3, and 4, the
Protection Profile and the CC assurance level.
27