The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. … Compliant means some but not all of the product has been FIPS validated.

CDI has gone through the rigorous process of getting our entire Federal product line certified as FIPS 140-2 validated. The validation process requires providing source code, schematics, and security policy to a certified NVLAP lab.  A product cannot be “self-certified” any more than an individual can be self-proclaimed.  After the arduous NVLAP lab process is completed, a company is then awarded a certificate number. This certificate is good for five (5) years after which time it becomes legacy if not resubmitted.

Some vendors are piggybacking on other’s efforts by using free opensource software module which has gone through the submission process. It is possible to hear the argument from an equipment vendor that an opensource software module is the same thing as a FIPS 140-2 certificate; this is simply untrue.  If the physical Out of Band Management product has not been through the NVLAP lab validation process, then the box is not FIPS 140-2 validated.  A non FIPS 140-2 validated appliances is unsuitable for FISMA Moderate or FISMA High environments- it will not pass FISMA Audit

FIPS 140-2 validation is a federal requirement and cannot be fudged.  FIPS 140-2 certified is not the same as validated.

If you are unsure if a product has been through the certification process, visit the NIST website.  You can search on the product by the full company name by using: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

CDI operates under the full business name of Communication Devices, Inc.

For more information about FIPS validation, please visit NIST.GOV