commit 84cb6c7f40f85720021d4cacaa30dc706ff8ffba
author Adam Langley <agl@chromium.org> Wed Feb 05 16:41:14 2025 -0800
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Feb 05 19:39:27 2025 -0800
tree 087551fd35681da05478bcd4b9136c9ccba4935d
parent 0cb7370ca12e41a352370977c180d13ec363fd0c

Add a section on the latest FedRAMP policy to FIPS.md.

Change-Id: I6794c514175b810d21d1dae06bfb4d45621a511b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75967
Auto-Submit: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

crypto/fipsmodule/FIPS.md

diff --git a/crypto/fipsmodule/FIPS.md b/crypto/fipsmodule/FIPS.md
index 9908d04..608aae9 100644
--- a/crypto/fipsmodule/FIPS.md
+++ b/crypto/fipsmodule/FIPS.md
@@ -1,6 +1,6 @@
-# FIPS 140-2
+# FIPS 140-3
 
-BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated. This document contains some notes about the design of the FIPS module and some documentation on performing FIPS-related tasks. This is not a substitute for reading the offical Security Policy.
+BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated. This document contains some notes about the design of the FIPS module and some documentation on performing FIPS-related tasks. This is not a substitute for reading the official Security Policy.
 
 Please note that we cannot answer questions about FIPS, nor about using BoringSSL in a FIPS-compliant manner. Please consult with an [accredited CMVP lab](http://csrc.nist.gov/groups/STM/testing_labs/) on these subjects.
 
@@ -16,6 +16,12 @@
 1. 2021-04-29: certificate [#4407](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407).
 1. 2022-06-13: certificate [#4735](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4735).
 
+## Update stream
+
+On 2025-01-16, the FedRAMP Board published an [updated policy](https://www.fedramp.gov/updates/docs/cryptographic-module/) on cryptographic modules. That policy suggests that module vendors should “promote the use of update streams over the use of validated module streams”. An _update stream_ “contains the latest patches and updates to be applied to software, regardless of the FIPS-validation status of the changed software”.
+
+BoringSSL's `main` branch is the update stream for the module. We intend to perform validations such all changes to the module are submitted to the CMVP within six months, as required by FRR7.
+
 ## Running ACVP tests
 
 See `util/fipstools/acvp/ACVP.md` for details of how ACVP testing is done.