The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. … using the term “FIPS 140-2Compliant”means absolutely nothing. A product that has been submitted to NIST recieves the official designation “FIPS validated”, and has a certificate issued by NIST that should never exceed a life of more than 5 years. The Validated product needs to be re-submitted every 5 years to maintain current Validation, at which time the certificate will be updated with that year.
CDI has gone through the rigorous process of getting our entire Federal product line certified as FIPS 140-2 validated. The validation process requires providing source code, schematics, and security policy to a certified NVLAP lab. A product cannot be “self-certified” any more than an individual can be self-proclaimed. After the arduous NVLAP lab process is completed, a company is then awarded a certificate number. This certificate is good for five (5) years after which time it becomes legacy if not resubmitted.
Some vendors are piggybacking on other’s efforts by downloading a free opensource software module which has gone through the submission process. It is possible to hear the argument from an equipment vendor that an opensource software module is the same thing as a FIPS 140-2 certificate; this is simply untrue. If the physical Out of Band Management product has not been through the NVLAP lab validation process, then the box is not FIPS 140-2 validated. A non FIPS 140-2 validated appliances is unsuitable for FISMA Moderate or FISMA High environments- it will not pass FISMA Audit. NIST notes on their website in regard to using this free module, “There is no assurance that a product is correctly utilizing an embedded validated cryptographic module – this is outside the scope of the FIPS 140-1 or FIPS 140-2 validation.”
FIPS 140-2 validation is a federal requirement and cannot be fudged. FIPS 140-2 certified is not the same as validated.