© Mats Tooming | Dreamstime Stock Photos |
Now, you would like to include the proper wording in your Security Policy. You may use the statements below (in bold type) to add operating environments supported by your module but
not included in the FIPS validation testing process:
As allowed by FIPS 140-2 Implementation
Guidance G.5, the validation status of the Cryptographic Module is maintained
when operated in the following additional operating environments: [operating environment 1], [operating environment 2], …
The CMVP makes no statement as to the
correct operation of the module or the security strengths of the generated keys
when the specific operational environment is not listed on the validation
certificate.
Note 1: Don't skip on the last statement -- it's a requirement.
Note 2: The additional operating environments that meet the porting requirements are not listed on the validation certificate posted on the NIST FIPS Validated Modules website. They will only appear in your Security Policy document that is available from that website.
Please leave a comment or contact me if you have questions.
Mark Minnoch is an Account Manager at InfoGard Laboratories.
No comments:
Post a Comment