Some vendors are piggybacking on other’s efforts by downloading a free opensource software module which has gone through the submission process. It is possible to hear the argument from an equipment vendor that an opensource software module is the same thing as a FIPS 140-2 certificate; this is simply untrue. If the physical Out of Band Management product has not been through the NVLAP lab validation process, then the box is not FIPS 140-2 validated. A non FIPS 140-2 validated appliances is unsuitable for FISMA Moderate or FISMA High environments- it will not pass FISMA Audit. NIST notes on their website in regard to using this free module, “There is no assurance that a product is correctly utilizing an embedded validated cryptographic module – this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.”
FIPS 140-2 validation is a federal requirement and cannot be fudged. FIPS 140-2 certified is not the same as validated.
If you are unsure if a product has been through the certification process, visit the NIST website. You can search on the product by the full company name by using: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search
CDI operates under the full business name of Communication Devices, Inc.
For more information about FIPS validation, please visit NIST.GOV