Beyond the Certificate: Pursuing Full FIPS Compliance in Cryptographic Products (U31c)
The Cryptographic Module Validation Program (CMVP) frequently validates cryptographic libraries and software modules based on specific algorithms, assuming that calling applications will integrate the library functions to manage key handling and high-level cryptographic protocols. However, an industry-wide practice is to incorporate a FIPS 140 validated cryptographic module into a product and claim FIPS 140 compliance. This approach often leads to security gaps and fails to meet the full spirit of FIPS 140 requirements.
This talk addresses the need for clearer guidance, urging vendors to ensure FIPS compliance for the entire product. It will also discuss how to achieve this assurance beyond the initial FIPS validation from a CST lab perspective. Additionally, the talk will provide guidance for customers who may lack the technical understanding to ask the right questions to confirm whether FIPS 140 certificate caveats and Security Policy guidance are fully considered and implemented.