The PSA JSA issues certificates that detail the date of evaluation and specific versions of hardware and software. The reader of the certificate should consider that, as time elapses after certification, the confidence in the certificate will diminish. The PSA JSA does not expire certificates but depends on the judgement of those relying on them to factor in the effect of changes over time.
The PSA JSA recommends:
- That certificates be annually considered for renewal by their holders to refresh the confidence.
- When the hardware or software version has a design change, that change should be analysed by the developer to see if it has the potential to affect security of the original hardware or software. If so, this should trigger a review of whether the original certification should be renewed.
- Upon receipt of threat intelligence of a vulnerability that is likely to impact security, an urgent review of whether the certification should be renewed should be undertaken by the developer and the PSA JSA certification body should be informed if the original certificate is no longer valid.
- PSA Certified evaluation laboratories should contact developers on or around thesecond anniversary of the certificate to establish if it should be renewed.
A re-certification should be discussed with an approved PSA Certified evaluation laboratory. A resulting replacement certificate will normally keep the same EAN-13 number reference but have the first digit of the +5 additional digits incremented.