Accelerate Your FIPS 140-2 Validation

Rarely updated and often overlooked, the FIPS document Frequently Asked Questions for the Cryptographic Module Validation Program deserves a spot in your FIPS library.

Any technology vendor starting a FIPS 140-2 project needs to consider the following question addressed in the FAQ for the CMVP.

Can I incorporate another vendor’s validated cryptographic module?

Yes. A cryptographic module that has already been issued a FIPS 140-1 or FIPS 140-2 validation certificate may be incorporated or embedded into another product. The new product may reference the FIPS 140-1 or FIPS 140-2 validated cryptographic module so long as the new product does not alter the original validated cryptographic module. A product which uses an embedded validated cryptographic module cannot claim itself to be validated; only that it utilizes an embedded validated cryptographic module.

There is no assurance that a product is correctly utilizing an embedded validated cryptographic module – this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.

The advantages to using a previously validated cryptographic module are many:

  1. Rebranding – get a FIPS 140-2 certificate issued in your company’s name
  2. Schedule – accelerated validation
  3. Risk reduction – previously validated cryptography meets the requirements of FIPS
  4. Eliminate or reduce documentation and coding – use your engineering resources wisely
  5. Simplify testing – including documentation review, algorithm testing, source code review, operational testing
  6. Streamline CMVP review time – shorten your time in the CMVP queue (weeks not months)

We are happy to answer your questions about embedded FIPS modules. Please contact mark@KeyPair.us

KeyPair Consulting – expert guidance to meet your FIPS 140-2 goals

Leave a Reply

Your email address will not be published.