Selecting a CMVP validated product

This page provides information on how to select the most appropriate CMVP validated products when system architects and purchasers seek products to meet their functional needs.

CMVP certificates have several information fields that the CCCS recommends consulting in procurement decisions:

  • Module name and versions:  The CCCS recommends that the version of the product being procured exactly matches the one on the certificate.  Note that one certificate may represent more than one product model - so read carefully.
  • Caveat:  There may be a caveat on the validation certificate indicating if a module has both Approved and non-Approved modes. If there is no caveat, then the module only has an Approved mode. There may be other caveats on the certificate that also identify how the module needs to be configured for Approved use. The CCCS recommends the use of products in Approved modes.
  • Security levels:  The overall level, and the levels for the individual security requirement areas, represent how well the module physically and logically protects its integrity and cryptographic keys, with 1 being the lowest and 4 being the highest. The CCCS advises that the overall rating of a cryptographic module is not necessarily the most important rating - instead, it is the rating(s) specifically related to the product's use to meet security requirements.
  • Tested Configurations:  This section lists the operational environment on which a software module was tested. The CMVP allows a user to port a validated software module to an operational environment which was not included as part of the validation testing. The CCCS recommends using validated products in operational environments that match as closely as possible to the testing environment.
  • FIPS Algorithms: This is the list of CCCS recommended algorithms implemented by the module. The vendor selects these algorithms from those listed in the Annexes to FIPS 140-2.
  • Security Policy:  Certificates include a link to the module’s non-proprietary security policy. This security policy specifies the security rules under which a cryptographic module will operate, including how to operate the module in the FIPS approved mode of operation, the rules derived from the requirements of this standard and additional rules imposed by the vendor.  It also provides more details on available services, algorithms, and keys. The CCCS recommends following any guidance in this security policy.

Choosing the correct product for an architecture is a complex task. The CCCS recommends taking the time to select the right product for the right use.

Date modified: