FIPS Compliance and OpenSSL

Product vendors often rely on OpenSSL to meet FIPS requirements. With the new CMVP requirements and regulations, vendors using certain versions of the OpenSSL cryptographic library to meet FIPS 140-2 requirements are in jeopardy of being out of FIPS compliance.

The first step we must take is to understand the difference between compliance and validation.

FIPS Compliance vs FIPS Validated

There is a substantial difference between stating your product meets FIPS compliance and ‘FIPS 140-2 validated.’ FIPS compliance refers to a product that has incorporated within its design another company’s cryptographic module that went through the complete FIPS validation process. It does not hold as much weight as being able to claim ‘FIPS 140-2 validation.’

FIPS validation means a vendor has gone through the entire FIPS 140-2 evaluation process and has a certificate issued by the government for their specific product. Further, the product meets the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and different industries, including healthcare, financial services and critical infrastructure.

When you think about the security of a product, you would want to take every measure to ensure that all entry and access points are secure and meet the full government requirements for security. When you take the FIPS inside or compliant route, you are covering a small portion of what truly needs to be protected. When you complete a FIPS validation, you and the government are attesting to the security of the entire cryptographic module.

Now that we better understand the difference between the two, we can better understand why the new set of requirements is not only affecting product vendors that have relied on a FIPS inside strategy, but also for other certifications such as Common Criteria and listing on the DoDIN APL.

These affected modules thought to have met FIPS compliance will soon be un-procurable and removed from the FIPS validated list, impacting product vendors who are seemingly unaware.


For help determining if and how your product will be affected by this change, contact us and ensure you avoid timely and costly delays, or worse, de-listing from the CMVP website.