Question OPDC-07
Do you employ or allow any cryptographic modules that do not conform to the Federal Information Processing Standards (FIPS PUB 140-2)?
| Weight | 40 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | No |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
EDUCAUSE provides no guidance here
Answering "YES"
Provide a detailed description of all nonconforming modules.
Reason for Question
Beware the use of proprietary encryption implementations. Open standard encryption, preferably mature, is often preferred. Although there may be cases if which that is not the case, be sure to understand the vendor's infrastructure and the true security of a vendor's solution.
Follow-Up Inquiries
If the vendor cannot accommodate open standards encryption requirements, direct them to NIST's Cryptographic Standards and Guidelines document at https://csrc.nist.gov/Projects/Cryptographic-Standards-and-Guidelines (opens in a new tab)
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]