Re: Are NSS bug fix releases still FIPS 140-2 certified?
You must use the specific binaries of version 220.127.116.11 from back in 2012 to
be really, honestly, truly FIPS 140 compliant.
Further, you must use a FIPS-certified implementation to verify the
integrity of that version in order to be really, no kidding FIPS 140
compliant, or get it on a disk directly from Mozilla (and the cryptographic
integrity option is only available if the Security Policy explained how to
cryptographically validate the binaries that you received).
FIPS compliance is all about documenting the chain of custody. Once you
have that, make absolutely certain that you keep that chain of custody in a
safe along with the original disk that you received the binaries on.
(There might be a process for Mozilla to push a new version with a "vendor
change letter" or something, but that depends on their CMVP validation
provider and various strange and arcane NIST rules. I've been following
the OpenSSL FIPS validation saga and let me tell you, it's *awful*.)