CCI-000635
CCI-000635 Definition
Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules.
Compelling Evidence
1.) System security plan (SSP) cryptographic module documentation is FIPS-validated. 2.) Documentation must confirm it is from FIPS 201-approved products list.