All modules
CMVP Validated Module · FIPS 140-3 Security Policy

KIOXIA FIPS TC58NC1132GTC Crypto Sub-Chip

Certificate#4650StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorKIOXIA Corporation
High review priority  ·  exposes HSM/SE firmware trust anchor  ·  last validated 32 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date10/31/2028
EntropyENT (P)
CaveatNone
VendorKIOXIA Corporation
Hardware versions0001

Vendor resources (verify with the vendor)

Product pagehttps://americas.kioxia.com/en-us/business/ssd/solution/security.html
Support pagehttps://americas.kioxia.com/en-us/business/ssd/solution/security.html partial support
Documentationhttps://americas.kioxia.com/en-us/business/ssd/document.html
https://americas.kioxia.com/content/dam/kioxia/en-us/business/ssd/asset/productbrief/KIOXIA_Enterprise_DataCenter_SSD_Security_Tech_Brief.pdf
AssessmentPublic security page, a public 'Download SSD Documents' library, and per-cert CMVP links; drive-level SED/FIPS integration detail ships with the product or under NDA. No standalone crypto-module support portal.

Approved Algorithms (6)

AlgorithmACVP Cert
AES-CBCC1925
Hash DRBGC2002
HMAC-SHA2-256C1925
KDF SP800-108C2001
RSA SigVer (FIPS186-4)C2009
SHA2-256C1925

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces2
Roles, Services, and Authentication2
Software/Firmware Security2
Operational EnvironmentN/A
Physical Security2
Sensitive Security Parameter Management2
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for KIOXIA FIPS TC58NC1132GTC Crypto Sub-Chip
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>SC02AS</i>"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware load<br/>Load Firmware</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Firmware Verification Random Number Generation…</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C6 clue;
  class I1,I2,I3,I6 infer;
  class R1,R2,R3,R6 risk;
  class E1,E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for KIOXIA FIPS TC58NC1132GTC Crypto Sub-Chip
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>SC02AS</i><br/>src: certificate.firmwareVersions"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware load<br/>Load Firmware</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Firmware Verification Random Number Generation…</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C3 clueHigh;
  class C2,C6 clueLow;

Security Policy, page by page

Page 1

KIOXIA FIPS TC58NC1132GTC Crypto Sub-Chip KIOXIA CORPORATION Rev 2.4.0 Oct 27, 2023

Page 3
Security level
NameISO SectionLevel
1. General1. General2
2. Cryptographic Module Specification2. Cryptographic Module Specification2
3. Cryptographic Module Interfaces3. Cryptographic Module Interfaces2
4. Roles, Services, and Authentication4. Roles, Services, and Authentication2
5. Software/Firmware Security5. Software/Firmware Security2
6. Operational Environment6. Operational EnvironmentN/A
7. Physical Security7. Physical Security2
8. Non-invasive Security8. Non-invasive SecurityN/A
9. Sensitive Security Parameter Management9. Sensitive Security Parameter Management2
10. Self-tests10. Self-tests2
11. Life-cycle Assurance11. Life-cycle Assurance2
12. Mitigation of Other Attacks12. Mitigation of Other AttacksN/A
Overall LevelOverall Level2

This document explains precise specification of the security rules about KIOXIA FIPS TC58NC1132GTC Crypto Sub-Chip. The Cryptographic Module (CM) meets the requirements of FIPS 140-3 Security Level 2 Overall. The Table below shows the security level detail. N/A N/A N/A Table 1 - Security Levels This document is non-proprietary and may be reproduced in its original entirety. Section 1.1 - Acronyms AES Advanced Encryption Standard CM SSP DRBG Deterministic Random Bit Generator HMAC The Keyed-Hash Message Authentication code KAT Known Answer Test POST Pre-Operational Self-Test CAST Cryptographic Algorithm Self-Test PSID Printed SID SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID TCG Trusted Computing Group LBA Logical Block Address Oct 27, 2023

Page 4
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES256 (FIPS 197 / SP800-38A)#C1925CBCKey Size: 256 bits/ Key Strength: 256 bitsData Encryption/ Decryption
SHA256 (FIPS 180-4)#C1925N/AN/AHashing messages
Physical single-chipThe sub-chip cryptographicThe associated
subsystem soft circuitry corefirmware
TC58NC1132GTC 0003TC58NC1132GTC CRPT module 0001SC02AS

Section 2

Page 5
Approved algorithm
NameCAVP CertMode MethodKey Size
HMAC-SHA256 (FIPS 198-1)#C1925N/AKey Size: 256 bits/ Key Strength: 256 bitsMessage Authentication Code
RSASSA-PKCS#1-v1_5 (FIPS 186-4)#C2009N/AKey Size: 2048 bit/ Key Strength: 112 bitsSignature verification
Hash_DRBG (SP800-90A Rev.1)#C2002N/AHash based: SHA256Deterministic Random Bit Generation
KBKDF (SP800-108 Revised)#C2001CounterMACs: HMAC-SHA256/ Key Size: 256 bits/ Key Strength: 256 bitsKey derivation
KTS (IG D.G)#C1925N/ACombination of AES256 CBC Mode and HMAC-SHA256 / Key Size: 256 bits/ Key Strength: 256 bitsKey Transport Scheme
CKG (SP800-133 Rev.2)Vendor AffirmationN/AMethods described in section 4 of the SP800-133 Rev.2Cryptographic Key Generation
Entropy Source (SP800-90B)ENT(P)N/AN/AHardware RNG used to seed the approved Hash_DRBG.

N/A N/A N/A N/A N/A N/A N/A Table 3 - Approved Algorithm The CM does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation. Section 2.3

Page 6
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Mailbox DMACMailbox DMACData InputMailbox input parameter.
Mailbox DMAC Key Store RegisterMailbox DMAC Key Store RegisterData OutputMailbox output parameter. Encryption key for use of other functional subsystems. Range information.
MailboxMailboxControl InputMailbox command information.
MailboxMailboxStatus OutputMailbox command result.
Power PINPower PINPower InputPower

Figure 1

Page 7
Service
NameRolesInputOutput
Cryptographic Erase Set PIN (for EraseMaster)FIPS Crypto Officer (EraseMaster)Mailbox commandMailbox command result Exported encryption key Range information
Download Port Lock/Unlock Firmware Download1 Set PIN (for SID)FIPS Crypto Officer (SID)Mailbox commandMailbox command result
Band Lock/Unlock (for GlobalRange) Set Band Position and Size (for GlobalRange) Set PIN (for BandMaster0)FIPS Crypto Officer (BandMaster0)Mailbox commandMailbox command result Exported encryption key Range information
Band Lock/Unlock (for Band1) Set Band Position and Size (for Band1) Set PIN (for BandMaster1)FIPS Crypto Officer (BandMaster1)Mailbox commandMailbox command result Exported encryption key Range information
Band Lock/Unlock (for Band64) Set Band Position and Size (for Band64) Set PIN (for BandMaster64)FIPS Crypto Officer (BandMaster64)Mailbox commandMailbox command result Exported encryption key Range information
Firmware Verification Random Number Generation Show Status ZeroisationNoneMailbox commandMailbox command result
ResetPowerN/A
Sensitive security parameter
NameTypeStrengthAuthentication
EraseMasterCrypto Officer1 / 264 < 1 / 1,000,000RolePIN30 / 264 < 1 / 100,000
SIDCrypto Officer1 / 264 < 1 / 1,000,000RolePIN30 / 264 < 1 / 100,000
BandMaster0Crypto Officer1 / 264 < 1 / 1,000,000RolePIN30 / 264 < 1 / 100,000
BandMaster1Crypto Officer1 / 264 < 1 / 1,000,000RolePIN30 / 264 < 1 / 100,000
BandMaster64Crypto Officer1 / 264 < 1 / 1,000,000RolePIN30 / 264 < 1 / 100,000

Section 4

Page 8
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Band Lock/UnlockLock or unlock setting for read/ write of user data in a band.BandMaster0 … BandMaster6 4KDK MEKsKBKDFE G, R, ZMailbox command result
HMAC-SHA256System MAC KeyHMAC-SHA256E
Cryptographic EraseErase user data (in cryptographic means) by changing the key that derives the data encryption key.EraseMasterDRBG Internal Value KDKCKG (Hash_DRBG)E G, ZMailbox command result
KBKDFKDK MEKsKBKDFE G, R, Z
HMAC-SHA256System MAC KeyHMAC-SHA256E
AES256-CBCSystem Enc KeyAES256-CBCE
KTSKDKKTSW, R
Download Port Lock/UnlockLock / unlock firmware download.SIDN/AN/AN/AMailbox command result
Firmware VerificationDigital signature verification for firmware outside the CM.NonePublic Key embedded on the CMʼs codeRSASSA-PKCS#1-v 1_5EMailbox command result
Firmware DownloadDownload a firmware image3.SIDPubKey1SHA256W, EMailbox command result
RSASSA-PKCS#1-v 1_5PubKey1RSASSA-PKCS#1-v 1_5E

The CM performs role authentication by comparing whether the PIN entered by the user matches the information stored inside the CM. PINs are hashed with SHA-256 to store them on the CM. The PIN entered by the user is hashed and compared to the stored PIN hash. PINs can be changed by executing the Set PIN Service (see Section4.2) with appropriate roles authenticated. The CM refuses to set a PIN less than 8 bytes, and responds with an error if such a setting is attempted. Therefore, the probability that a random attempt will succeed is 1 / 264 < 1 / 1,000,000 (the CM accepts any value (0x00-0xFF) as each byte of PIN). The CM waits 2sec when authentication attempt fails, so the maximum number of authentication attempts is

30 times in 1 min. Consequently, the probability that random attempts in 1min will succeed is

30 / 264 < 1 / 100,000.

Section 4.2

Page 9
Approved algorithm
NameUse Function
Hash_DRBGRandom Number GenerationProvide a random number generated by the CM.DRBG Internal ValueNoneEMailbox command result
CKG (Hash_DRBG)Set Band Position and SizeSet the location and size of the band.DRBG Internal Value KDKBandMaster0 … BandMaster6 4E G, ZMailbox command result
KBKDFKDK MEKsE G, R, Z
HMAC-SHA256System MAC KeyE
AES256-CBCSystem Enc KeyE
KTSKDKW, R
SHA256Set PINSet PIN (authentication data).PINsEraseMaster SID BandMaster0 … BandMaster6 44W, EMailbox command result
HMAC-SHA256System MAC KeyE
AES256-CBCSystem ENC KeyE
KTSPINsW, R
N/AShow StatusReport status of the CM and versioning information.N/ANoneN/AMailbox command result
N/AZeroisationErase SSPs.RKeyNone5ZMailbox command result
KDKKDKZ
PINsPINsZ
System MAC KeySystem MAC KeyZ
System Enc KeySystem Enc KeyZ
DRBG Internal ValueDRBG Internal ValueZ
N/APower-OFF: Delete SSPs in RAM.System MAC KeyZ
System Enc KeySystem Enc KeyZ
KDKKDKZ
PINsPINsZ
DRBG Internal ValueDRBG Internal ValueZ
PubKey1PubKey1Z
RSASSA-PKCS#1-v 1_5PubKey1W, E
KBKDFRkey System MAC Key System Enc KeyE G G
Entropy SourceDRBG SeedG
Hash_DRBGDRBG Seed DRBG Internal ValueE, Z G
HMAC-SHA256System MAC KeyE
AES256-CBCSystem Enc KeyE
KTSKDK PINsW W

a E E … G, Z E G, R, Z E E N/A N/A W, R W, E E … E W, R N/A N/A Z Z Z Z Z Z N/A Z Z Z Z Z Reset Power-ON: Runs various Z W, E E G 1_5 self-tests to be G performed at G power-on ( POSTs, E, Z G CASTs, Firmware N/A Load test ) and E generate / import E some SSPs. W W Each role can set a PIN for themselves only. Need to input PSID, which is public drive-unique value used for the zeroisation service. Oct 27, 2023

Page 10

Derive MEKs if the KBKDF corresponding band KDK E MEKs G, R, Z has been unlocked by the appropriate roles. Note 1: “CKG(Hash_DRBG)” means direct use of Hash_DRBG output as a key. Note 2: “PINs” in the above table means “SID/BandMaster(s)/EraseMaster PINs”. Table 7 - Approved services Section 5

Page 11
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
RKey256KBKDF (#C2001)Hash_DRBG (Method SP800-133 Rev.2 Section 4)ManufacturingPlaintext in OTPDerivation of System Enc Key and System MAC KeyN/AExplicit Zeroisation service
System Enc Key256AES-CBC (#C1925)KDF in Counter ModePower-OnPlaintext in RAMData Encryption / Decryption for KTSN/AExplicit Zeroisation
Physical Security MechanismRecommended Frequency ofInspection/Test Guidance Detail
Inspection/Test
Passivated opaque packageEvery month or every two monthsConfirmation that there is no visual damage

Front Back Figure 2 - TC58NC1132GTC 0003 SoC Section 8

Page 12
Approved algorithm
NameUse Function
KDF in Counter ModePlaintext in RAMSystem MAC Key256HMAC (#C1925)N/APower-OnExplicit Zeroisation serviceMessage Authentication Code generation and verification for KTS
Hash_DRBG (Method SP800-133 Rev.2 Section 4)Plaintext in RAM Encrypted in System Area outside the module using the Approved KTSKDK256KBKDF (#C2001)Imported and Exported by KTS (see Table 3)Cryptographic Erase service, Set Band Position and Size serviceExplicit Zeroisation service, Cryptographic Erase service, Set Band Position and Size serviceDerivation of MEKs
KDF in Counter ModePlaintext in RAMMEKs256N/AExported to other functional subsystems on the same single-chipBand Lock/Unlock service, Cryptographic Erase service, Set Band Position and Size serviceImplicit Immediately after exportedData encryption / decryption by other functional subsystems
Electronic inputHashed in RAM Hashed + Encrypted in System Area outside the module using theSID/BandMa ster(s)/Erase Master PINsReferred to in Section 4.1 (Table 6)SHA256 (#C1925)Imported and Exported by KTS (see Table 3)Set PIN serviceExplicit Zeroisation serviceUser authentication
Page 13
Approved algorithm
NameKey SizeUse Function
Hash_DRBG (#C2002)V: 440 bits C: 440 bitsRandom number generationDRBG Internal ValueSP800-90A Instantiation of Hash_DRBGN/APower-OnPlaintext in RAMExplicit Zeroisation service
Hash_DRBG (#C2002)Entropy Input String and Nonce: 512 bitsRandom number generationDRBG SeedEntropy collected from Entropy Source at instantiation (Minimum entropy of 8 bits: 6.31)N/APower-OnPlaintext in RAMImplicit Immediately after use6
RSA (#C2009)112Signature verification.PubKey1Electronic inputImported during FW load.Power-on FW Download servicePlaintext in RAM Hashed in OTPImplicit Power-Off (Data in RAM)
DetailsEntropy sourceMinimum number of
Hardware RNG used to seed the approved Hash_DRBG.Minimum entropy of 8 bits is 6.31.7 Entropy Source
Approved algorithm
NameKey SizeUse Function
Hash_DRBG (#C2002)V: 440 bits C: 440 bitsRandom number generationDRBG Internal ValueSP800-90A Instantiation of Hash_DRBGN/APower-OnPlaintext in RAMExplicit Zeroisation service
Hash_DRBG (#C2002)Entropy Input String and Nonce: 512 bitsRandom number generationDRBG SeedEntropy collected from Entropy Source at instantiation (Minimum entropy of 8 bits: 6.31)N/APower-OnPlaintext in RAMImplicit Immediately after use6
RSA (#C2009)112Signature verification.PubKey1Electronic inputImported during FW load.Power-on FW Download servicePlaintext in RAM Hashed in OTPImplicit Power-Off (Data in RAM)
DetailsEntropy sourceMinimum number of
Hardware RNG used to seed the approved Hash_DRBG.Minimum entropy of 8 bits is 6.31.7 Entropy Source

N/A N/A after use 6 Table 9 - SSPs Table 10 - Non-Deterministic Random Number Generation Specification The Entropy Source is a hardware module inside the CM boundary. The Entropy Source supplies the Hash_DRBG with 512 bits entropy input. From Table 10 this input contains about

404 bits of entropy, which is sufficient entropy to obtain 256 bits of security strength.

Page 14
Approved algorithm
NameUse Function
AES256-CBCPower-OnConditionalEncrypt/Decrypt KATEnters Boot Error State (Indicated Error Code: 0x24)
SHA256Power-OnConditionalDigest KATEnters Boot Error State. (Indicated Error Code: 0x25)
HMAC-SHA256Power-OnConditionalDigest KATEnters Boot Error State. (Indicated Error Code: 0x26)
Hash_DRBGPower-OnConditionalDRBG KATEnters Boot Error State. (Indicated Error Code: 0x18/0x19)
RSASSA-PKCS#1-v 1_5Power-OnConditionalSignature verification KATEnters Boot Error State. (Indicated Error Code: 0x27)
KDF in Counter ModePower-OnConditionalKDF KATEnters Boot Error State (Indicated Error Code: 0x28)
Entropy Source (Health tests of noise source at startup.)Power-OnConditionalVerify not deviating from the intended behavior of the noise source by Repetition Count Test and Adaptive Proportion Test specified in SP800-90B.Enters Boot Error State (Indicated Error Code: 0x2C/0x2D)
Hash_DRBGRandom number generationConditionalVerify newly generated random number not equal to previous oneEnters Error State. (Indicated Error Code: 0x1D)
Entropy SourceEntropy output requestConditionalVerify newly generated random number not equal to previous oneEnters Error State. (Indicated Error Code: 0x1E)

For the Entropy Source listed in the table above, self-tests are performed each time before data is obtained (see Section 10 for details of these self-tests). When these tests detect that the Entropy Source cannot generate the sufficient amount of entropy, the CM is transient to error state. The CM can be recovered from the error state by rebooting the module, and the obtaining of Entropy data is attempted again. If the CM continuously enters in error state in spite of several trials of reboot, the CM may be sent back to factory to recover from error state. Section 10

Page 15
Entropy Source (Continuous noise source health tests during operation.)ConditionalEntropy output requestVerify not deviating from the intended behavior of the noise source by Repetition Count Test and Adaptive Proportion Test specified in SP800-90B.Enters Error State. (Indicated Error Code: 0x2C/0x2D)
Firmware load testConditional8Power-onVerify signature of loaded firmware image by RSASSA-PKCS#1-v1_5Enters Power Up Load Test Error State (Indicated Error Code: 0x13)
FW downloadVerify signature of downloaded firmware image by RSASSA-PKCS#1-v1_5Enters Conditional Load Test Error State. After reporting Error code, transition from error state to normal state and continue to operate with FW before download. (Indicated Error Code: 0x13)
Firmware integrity testPre-operationalPower-OnVerify ROM code integrity with 32bit CRC.Enters Boot Error State (Implicit error reporting by stopping the startup sequence)

Table 11 - Self Tests As shown in the table above, self-tests are performed automatically at the CM startup and before execution certain security functions. Operator can also initiate self-test on-demand for periodic testing by using the Reset service which is automatically invoked when the module is powered-off and powered-on (rebooted). If the self-tests fail, the CM reports error status and enters to the error state. In this case, the CM must be powered-off to clear error condition. When power-on is executed again, self-tests are also executed like an on-demand operator reset. If the CM continuously enters in error state in spite of several trials of reboot, the CM may be sent back to factory to recover from error Section 11

Page 16
  1. The Firmware described in Section 2.1 is downloaded into the CM.
  2. Initial SSPs are generated.
  3. Initial authentication information is set to the CM.
  4. System area including SSPs generated in Step2 and Step3 are encrypted and calculated message authentication code. Initial operations to setup this CM are following:
  5. Load Firmware into the CM.
  6. Load System area including SSPs into the CM.
  7. Execute Range state setting method.
  8. Execute Download port setting method. The CM switches to approved mode after the initial operation success. When the initial operation succeeds, the CM indicates success on the Status Output interface. Users can confirm that the CM is in approved mode by executing Show Status service and checking that the startup is successfully completed. As described in Section 2, the CM is used by being embedded in the solid state drive. Therefore, there are no maintenance requirements for the CM alone. Guidance for this module is provided to solid state drive developers who embed the CM. The usage and maintenance of solid state drives with the CM built-in are outside of the scope of this document. Section 12 – Mitigation of Other Attacks The CM does not mitigate other attacks beyond the scope of FIPS 140-3 requirements. Oct 27, 2023