Rarely updated and often overlooked, the FIPS document Frequently Asked Questions for the Cryptographic Module Validation Program deserves a spot in your FIPS library.
Any technology vendor starting a FIPS 140-2 project needs to consider the following question addressed in the FAQ for the CMVP.
Can I incorporate another vendor’s validated cryptographic module?
Yes. A cryptographic module that has already been issued a FIPS 140-1 or FIPS 140-2 validation certificate may be incorporated or embedded into another product. The new product may reference the FIPS 140-1 or FIPS 140-2 validated cryptographic module so long as the new product does not alter the original validated cryptographic module. A product which uses an embedded validated cryptographic module cannot claim itself to be validated; only that it utilizes an embedded validated cryptographic module.
There is no assurance that a product is correctly utilizing an embedded validated cryptographic module – this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.
The advantages to using a previously validated cryptographic module are many:
- Rebranding – get a FIPS 140-2 certificate issued in your company’s name
- Schedule – accelerated validation
- Risk reduction – previously validated cryptography meets the requirements of FIPS
- Eliminate or reduce documentation and coding – use your engineering resources wisely
- Simplify testing – including documentation review, algorithm testing, source code review, operational testing
- Streamline CMVP review time – shorten your time in the CMVP queue (weeks not months)
We are happy to answer your questions about embedded FIPS modules. Please contact mark@KeyPair.us
KeyPair Consulting – expert guidance to meet your FIPS 140-2 goals