SC-13(1) — FIPS-validated Cryptography

All cryptography used in the system must be FIPS-validated — meaning the specific software or hardware module has been tested and certified by an accredited lab.

Example 1: Verify that your Windows Cryptographic Providers appear on the NIST Cryptographic Module Validation Program (CMVP) list. Check the certificate number and ensure it covers the algorithms you are using.

Example 2: For third-party encryption products (VPN appliances, database encryption), request the vendor's FIPS 140-2 or 140-3 validation certificate before purchasing. Confirm the certificate is current, not expired or historical.