Question DATA-05
Do all cryptographic modules in use in your product conform to the Federal Information Processing Standards (FIPS PUB 140-3)?
| Weight | 25 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Provide a detailed description of all non-conforming modules.
Answering "YES"
Provide reference to FIPS 140-3 validation certificates.
Reason for Question
Beware the use of proprietary encryption implementations. Open standard encryption, preferably mature, is often preferred. Although there may be cases in which that is not the case, be sure to understand the vendor's infrastructure and the true security of a vendor's solution.
Follow-Up Inquiries
If the vendor cannot accommodate open standards encryption requirements, direct them to NIST's Cryptographic Standards and Guidelines document at https://csrc.nist.gov/Projects/Cryptographic-Standards-and-Guidelines (opens in a new tab)
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]