No, strictly speaking, you cannot. Just because you use a FIPS 140-2 certified cryptographic module doesn't mean that your application is FIPS 140-2 certified. It means that your application includes (or uses) a FIPS 140-2 certified cryptographic module. Or, as it is sometimes called, "FIPS Inside". Any organization that cares will ask for the CMVP certificate number and look it up. The certificate will identify the validated configuration. On Wed, 3 Jul 2019 at 13:05, Dipak B <deepak.redmi2@xxxxxxxxx> wrote: > > Dear Experts, > > Can you please help with the following questions? > All inputs are appreciated. > > a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS 140-2 Certified in strict sense? > where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib) > > I am seeking clarity although read through both Users Guide and Security Policy. > > Thank you, > Deepak -- Eric Jacksch, CPP, CISM, CISSP eric@xxxxxxxxxxx Twitter: @EricJacksch https://SecurityShelf.com
