|© Mats Tooming | Dreamstime Stock Photos|
Now, you would like to include the proper wording in your Security Policy. You may use the statements below (in bold type) to add operating environments supported by your module but not included in the FIPS validation testing process:
As allowed by FIPS 140-2 Implementation Guidance G.5, the validation status of the Cryptographic Module is maintained when operated in the following additional operating environments: [operating environment 1], [operating environment 2], …
The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when the specific operational environment is not listed on the validation certificate.
Note 1: Don't skip on the last statement -- it's a requirement.
Note 2: The additional operating environments that meet the porting requirements are not listed on the validation certificate posted on the NIST FIPS Validated Modules website. They will only appear in your Security Policy document that is available from that website.
Please leave a comment or contact me if you have questions.