Determining FIPS 140-2 compliance in a medical device

#1
Background: Medical startup (first product) - device is a point of care x-ray system which interfaces with PACS/DICOM storage through Wi-Fi. The Veterans Health Administration when initiating an enterprise risk assessment asks for a FIPS 140-2 certification number for any wireless networked devices.

Question: It could very well be that our device is not FIPS 140-2 compliant, but if it is, how would we demonstrate compliance? For the purpose of the VHA ERA this information is submitted through the form on the VA Directive 6550 Appendix A simply asking for the certification number. Would this need to be a custom certification for our (software) system? Or just a reference to the underlying cryptographic module that has a certification number already on file with the NIST database?

Details: Device is running a java application that manages all network traffic - contains OpenSSL 3.0 using AES 256 algorithm - running on a Debian 10 OS on an Intel NUC with an Intel network adapter.

Thanks for any assistance,
Tom
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#3
Question: It could very well be that our device is not FIPS 140-2 compliant, but if it is, how would we demonstrate compliance?
...
Details: Device is running a java application that manages all network traffic - contains OpenSSL 3.0 using AES 256 algorithm - running on a Debian 10 OS on an Intel NUC with an Intel network adapter.
So... it sounds like the design has an architecture where you allocated elements of the interface to identified implementation details. This is good!

To demonstrate compliance, it is best that you have dedicated system level requirements that trace to this architecture (and implemented solution), with appropriate verification that the system level requirements are satisfied. I have no specific familiarity with "FIPS 140-2" certification, so it is possible that your solution is compliant (by accident?), but it is best to design it for compliance. For legacy solutions, the only recourse is to start with the requirements and analyze the solution for conformity... this is likely what a 3rd-party assessor will do... although I can imagine them "kicking the tires" as well. Please let us know how you proceed and what you learn!
 
Thread starter Similar threads Forum Replies Date
C Need help in determining applicable clause for an audit finding (based on AS9120B) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Q Kap.4.3 Determining the scope ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
U Determining population defect rate from sample defect rate Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
W Strategy for determining which components from a system should be "ME EQUIPMENT" -- home healthcare environment IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
J Process Capability - Determining the process capability of certain equipment Lean in Manufacturing and Service Industries 6
S Determining Sample Size and Method Quality Tools, Improvement and Analysis 11
S Determining a device category according to the MDR EU Medical Device Regulations 3
S Determining the requirements for the products and services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Q Determining Adverse Effects of Corrective/Preventive Actions ISO 13485:2016 - Medical Device Quality Management Systems 2
S Determining sample sizes for PQ Qualification and Validation (including 21 CFR Part 11) 4
M Determining if an Insulin Pen Testing Machine is a Medical Device? EU Medical Device Regulations 4
M Determining a tolerance value for Measuring devices in-house inspection General Measurement Device and Calibration Topics 12
D Determining the the maximum number of reprocessing cycles of attachments CE Marking (Conformité Européene) / CB Scheme 2
R Determining Uncertainty from Gage R&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
A IATF 16949 4.3.1 - Determining the scope of the quality management system - supplemental IATF 16949 - Automotive Quality Systems Standard 9
D ISO 9001:2015 4.3 Determining the Scope of the QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
J Determining SPC tolerance Statistical Analysis Tools, Techniques and SPC 21
B Determining SAT Offsets vs TUS Offsets per SAE AMS 2750E AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
B Determining sample size for device sterility Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
D Determining of sample size for 'Operational Qualification' AQL - Acceptable Quality Level 5
R Question on determining defective units - I am not recording fixture to part rejected Statistical Analysis Tools, Techniques and SPC 5
S Clause 8.2.2 Determining the requirements for products and services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
D Determining Calibration Frequency schedule for items used in production Manufacturing and Related Processes 2
C Determining if Maintenance Contractor is an External Service subject to ISO 9001 Clause 8.4 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 44
S AS9100D PEAR - Examples for organization's method for determining process results? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
I Determining Calibration Tolerance of a Measurement Device General Measurement Device and Calibration Topics 2
J ISO 17025 Documented Procedure for 6.2.5 - Determining competency ISO 17025 related Discussions 4
V Determining FDA 820 (registration) vs ISO 13485 - Supplier gives us the kit ISO 13485:2016 - Medical Device Quality Management Systems 1
J ISO 9001 8.4.1 - Determining controls applied to externally provided processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
E Determining what is good and what is bad can be subjective - when is it a quality issue? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
F Determining what type of scrap to include in my internal PPM calculation Quality Manager and Management Related Issues 5
M Determining number of employees within the "Scope" of the QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
A Determining the Scope of the QMS during Stage 1? Registrars and Notified Bodies 11
W Minor Audit Nonconformance Against Determining the scope of QMS IATF 16949 - Automotive Quality Systems Standard 12
D Determining Critical Components for conformity with IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 21
Q ISO 9001, section 4.3 Determining the scope of our QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
R Determining Sample Size for Medical Device Component Validation Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
A What does 8.2.2.1, Determining the requirements related to products and services,mean IATF 16949 - Automotive Quality Systems Standard 1
A Determining Retention Period for Medical Device QMS documents Document Control Systems, Procedures, Forms and Templates 5
S Surveillance Sampling Test - Determining Sample Size Inspection, Prints (Drawings), Testing, Sampling and Related Topics 5
F ISO 9001:2015 4.3 - Determining the scope of the quality management system ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
B Standards Needed In House - Determining what standards are applicable Various Other Specifications, Standards, and related Requirements 3
W Determining Medical Device Classification in Mexico Other Medical Device Regulations World-Wide 5
K Determining Effect of Failure without a DFMEA (Design FMEA) FMEA and Control Plans 1
W Determining the Status and Importance of the Processes and Areas to be Audited Internal Auditing 7
T Determining Customer Requirements for the US Postal Service (USPS) IATF 16949 - Automotive Quality Systems Standard 4
Crimpshrine13 Rules of achieving and maintaining IATF recognition - Determining audit days IATF 16949 - Automotive Quality Systems Standard 2
R Developing procedure for Determining Company's Context And Interested Parties ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 53
W Determining Asset Life or Depreciation Life for M&TE General Measurement Device and Calibration Topics 1
N Reason for determining no adverse effect on reworked product ISO 13485:2016 - Medical Device Quality Management Systems 8

Similar threads

Top Bottom