CCI-000635

Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.

Implementation Guidance

The organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules.

Compelling Evidence

1.) System security plan (SSP) cryptographic module documentation is FIPS-validated. 2.) Documentation must confirm it is from FIPS 201-approved products list.

The controls below (if any) were marked by NIST as being related to CCI-000635.