All modules
CMVP Validated Module · FIPS 140-3 Security Policy

UT-125 FIPS #31 and #41 Cryptographic Module

Certificate#4991StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorIcom Inc.
Low review priority  ·  exposes firmware-update authentication  ·  last validated 16 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date3/23/2027
EntropyENT (NP)
CaveatInterim Validation. When operated in approved mode
VendorIcom Inc.
Hardware versionsRev1.2, Rev1.3, Rev2.2, Rev2.3

Approved Algorithms (3)

AlgorithmACVP Cert
AES-OFBA1399
HMAC-SHA-1A1399
SHA-1A1399

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Operational Environment6
Physical Security7
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for UT-125 FIPS #31 and #41 Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>Rev1.6</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Firmware Update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C6 clue;
  class I1,I2,I3,I6 infer;
  class R1,R2,R3,R6 risk;
  class E1,E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for UT-125 FIPS #31 and #41 Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>Rev1.6</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Firmware Update</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3 clueHigh;
  class C6 clueLow;

Security Policy, page by page

Page 1

UT-125 FIPS #31 and #41 Cryptographic Module Hardware versions 1.2, 1.3, 2.2 and 2.3 Firmware version 1.6 Document Revision 2.7 Icom Inc. 1-1-32, Kamiminami, Hirano-ku Osaka 547-0003 Japan

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels5
2Cryptographic Module Specification5
2.1Description5
2.2Tested Module Version and Identification8
2.3Excluded Components8
2.4Modes of Operation8
2.5Algorithms8
3Cryptographic Module Interfaces9
3.1Ports and Interfaces9
3.2Trusted Channel Specification10
3.3Control Interface Not Inhibited10
4Roles, Services, and Authentication10
4.1Authentication Methods10
4.2Roles10
4.3Approved Services11
4.4Non-Approved Services12
4.5External Software/Firmware Loaded12
4.6Bypass Actions and Status12
4.7Cryptographic Output Actions and Status12
5Software/Firmware Security13
5.1Integrity Techniques13
5.2Initiate on Demand13
6Operational Environment13
6.1Operational Environment Type and Requirements13
6.2Configuration Settings and Restrictions13
7Physical Security13
7.1Mechanisms and Actions Required13
8Non-Invasive Security13
9Sensitive Security Parameters Management14
9.1Storage Areas14
9.2SSP Input-Output Methods14
9.3SSP Zeroization Methods14
9.4SSPs14
9.5Transitions15
9.6Additional Information15
10Self-Tests15
10.1Pre-Operational Self-Tests15
10.2Conditional Self-Tests15
10.3Periodic Self-Test Information15
10.4Error States15
10.5Operator Initiation of Self-Tests16
11Life-Cycle Assurance16
11.1Installation, Initialization, and Startup Procedures16
11.2Administrator Guidance16
11.3Non-Administrator Guidance16
11.4Design and Rules17
11.5Maintenance Requirements17
11.6End of Life17
12Mitigation of Other Attacks17
Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Cryptographic Module Tested Configuration8
Table 3: Approved Algorithms9
Table 4: Non-Approved Algorithms Not Allowed in the Approved Mode of Operation9
Table 5: Ports and Interfaces10
Table 6: Roles, Service Commands, Input and Output11
Table 7: Approved Services12
Table 8: Non-Approved Services12
Table 9: Storage Areas14
Table 10: SSP Input-Output14
Table 11: SSP Zeroization Methods14
Table 12: SSPs14
Table 13: Error Indicators16
Table 14: Error Status16
Figure 1 – Block Diagram6
Figure 2 – Representative Images7
Page 5
Security level
NameISO SectionRequirementLevel
Section 6.Section 6.
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical security1
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
1.1 Overview

This document details the security policy for the cryptographic module UT-125 FIPS #31 Hardware revision 1.2 and Hardware revision 1.3, UT-125 FIPS #41 Hardware revision 2.2 and Hardware revision

2.3 implementing firmware version 1.6, herein identified as the optional encryption unit, UT-125 FIPS #31

distributed only in its entirety without revision.

1.2 Security Levels

[Number Below] N/A Table 1: Security Levels N/A

2.1 Description

Purpose and Use: The UT-125 FIPS #31 and #41 are multi-chip embedded cryptographic modules as defined by FIPS 1403. The cryptographic module can be incorporated into any Icom Inc. radio which requires FIPS 140-3 level 1 Module Type: Hardware Module Embodiment: Multi-chip Embedded

Page 6

Cryptographic Boundary: The cryptographic boundary consists of the entire printed circuit board, as depicted in Figures 1 and 2. Cryptographic Boundary UT-125 FIPS EEPROM FLASH ROM Digital Signal Processor (DSP) Data Input/Output Control Input Radio’s DSP Figure 1

Page 7

Figure 2 contains representative images of the cryptographic module. Other than the labels, Rev 1.2 and

1.3 of the UT-125 #31 are externally identical. Likewise, Rev 2.2 and 2.3 of UT-125 #41 are also

externally identical. #31 #41 Top Bottom Figure 2

Page 8
Module configuration
NameModelHardware VersionFirmware VersionFeatures
UT-125 #31UT-125 #31Rev1.2Rev.1.6Seal, Display on the radio display.
UT-125 #31UT-125 #31Rev1.3Rev.1.6Seal, Display on the radio display.
UT-125 #41UT-125 #41Rev2.2Rev.1.6Seal, Display on the radio display.
UT-125 #41UT-125 #41Rev2.3Rev.1.6Seal, Display on the radio display.
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES-OFB (SP 800-38A)A1399AES-OFB256 bitsVoice Encryption / Decryption
HMAC-SHA-1 (FIPS 198-1)A1399HMAC-SHA-1MAC: 160 bits Key Length: 512 bitsFirmware Integrity, Firmware Load Test
2.2 Tested Module Version and Identification

Tested Module Identification

2.3 Excluded Components

The cryptographic module does not have any Excluded components.

2.4 Modes of Operation

Modes List and Description: This UT-125 FIPS cryptographic module supports both approved mode and non-approved mode as explained below. Mode Change Instructions and Status: The cryptographic module supports both approved, and non-approved modes depending on the McBSP interface commands being invoked. Approved algorithms output the signal of GPIO port when running. The signal of GPIO9 indicates the module is using an approved security function. The cryptographic module does not support degraded operation.

2.5 Algorithms

Approved Algorithms: The module’s CAVP certificates includes algorithms/options that are not utilized by the module in the approved mode. Only the algorithms/options listed in the table below are utilized by the module in the approved mode.

Page 9
Approved algorithm
NameUse Function
AES-CBC-MACMessage Authentication
AES-ECBData Encryption / Decryption
CTR_DRBGPseudo-Random Number Generator
DES-ECBCrypto Key Encryption / Decryption
DES-OFBVoice Encryption / Decryption
PRNGPseudo-Random Number Generator
Ports and interfaces
NameLogical InterfaceData That PassesUT-125 FIPS Physical
I/O Portsport/interfaceI/O Ports
#31:1 DGND #41:1 GNDPowerGround#31:1 DGND #41:1 GND
2 CCLKOData OutputMcBSP clock output2 CCLKO
#31: 3 DGND #41: 3 GNDPowerGround#31: 3 DGND #41: 3 GND
4 CFSOData OutputMcBSP frame sync output4 CFSO
5 CFSIData Input or Control InputMcBSP frame sync input5 CFSI
6 CDOData Output or Status OutputMcBSP data output6 CDO
7 CCLKIData Input or Control InputMcBSP clock input7 CCLKI
8 DRESETControl InputReset signal8 DRESET
9 CDIData Input or Control InputMcBSP data input9 CDI
10 CACTControl InputWake up signal10 CACT
11 DVDD_3.3V#31: Power #41: Power#31: External electrical power (+3.3V power line) #41: GND11 DVDD_3.3V
12 DGNDPower#31: Ground #41: External electrical power (+3.3V power line)12 DGND
13 -#31: N/A #41: Power#31: Non-connection #41: External electrical power (+3.3V power line)13 -
14 DGND#31: Power #41: N/A#31: Ground #41: Non-connection14 DGND
A1399SHA-1 (FIPS 180-4)SHA-1N/AHash function for HMAC

Table 3: Approved Algorithms N/A Vendor-Affirmed Algorithms: This cryptographic module does not have a Vendor-Affirmed Algorithms algorithm. Non-Approved, Allowed Algorithms: This module does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Allowed Algorithms with No Security Claimed: This module does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Table 4: Non-Approved Algorithms Not Allowed in the Approved Mode of Operation

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
Page 10

Table 5: Ports and Interfaces

3.2 Trusted Channel Specification

This module does not support a trusted channel.

3.3 Control Interface Not Inhibited

This module does not have control output interface.

4 Roles, Services, and Authentication
4.1 Authentication Methods

This module does not support operator authentication.

4.2 Roles

The UT-125 FIPS #31 and #41 support the roles of Crypto Officer and User. Crypto Officer: Assumption of the Crypto Officer role is implied when any of the services specific to a Crypto Officer are executed. The Crypto Officer role is responsible for the keys and firmware of the UT-125 FIPS #31 and #41. The management of keys, such as loading, reading and writing, is the domain of the Crypto Officer. The main tool for key management utilized by the Crypto Officer is an approved key loading device. The Crypto Officer role will also manage firmware updating and checking procedures. User: Assumption of the User role is implied when any of the services specific to a User are executed. The User role is primarily consists of the services which conduct the encryption and decryption of communication, invoke self-tests, and indicate the status of the UT-125 FIPS #31 and #41.

Page 11
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
DecryptionDecoding from ciphertext to plaintextO/UTEKAES-OFBEPort Output (GPIO9)
EncryptionEncoding from plaintext to ciphertextO/UTEKAES-OFBEPort Output (GPIO9)
Firmware UpdateUpdating the firmware in the crypto moduleOHMAC KeyHMAC-SHA-1E, WPort Output (GPIO9)
Key LoadLoading crypto key using Key Fill Device Interface ProtocolO/UTEKN/AWN/A
Key ZeroisationZeroising crypto key using Key Fill Device Interface ProtocolO/UTEKN/AZN/A
Power-OffTurning the power off on the moduleO/UN/AN/AN/AN/A
Self-TestsSelf-testing the operation of the crypto functionsO/UN/AAES-OFB HMAC-SHA-1N/AN/A
Show Key StatusProviding the crypto parameter.O/UN/AN/AN/AN/A
Show StatusShowing current statusO/UN/AN/AN/AN/A
Show VersionShow module’s versioning informationO/UN/AN/AN/AN/A
System ManagementZeroising various setting valuesOTEK, HMAC KeyN/AZN/A
Decryption (non-approved)Decoding from ciphertext to plaintextO/UDES-OFBN/A
Encryption (non-approved)Encoding from plaintext to ciphertextO/UDES-OFBN/A
Key ManagementChanging/Adding/Gen erating/Zeroising crypto key and module parameter.O/UAES-CBC-MAC AES-ECB CTR_DRBG DES-ECB PRNGN/A
User/Crypto OfficerDecryptionMcBSP command:Control Input or Data Input (Request Command)McBSP command:Status Output or Data Output (Response Command)
User/Crypto OfficerEncryptionMcBSP command:Control Input or Data Input (Request Command)McBSP command:Status Output or Data Output (Response Command)
Crypto OfficerFirmware UpdateMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command, Indicate Command)
User/Crypto OfficerKey LoadMcBSP command:Control Input or Data Input (Request Command)McBSP command:Status Output (Response Command, Indicate Command)
User/Crypto OfficerKey ZeroisationMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command)
User/Crypto OfficerPower-OffMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command, Indicate Command)
User/Crypto OfficerSelf-TestsReset signal (Physical port): Control InputMcBSP command: Status Output
User/Crypto OfficerShow Key StatusMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command)
User/Crypto OfficerShow StatusMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command)
User/Crypto OfficerShow VersionMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command)
Crypto OfficerSystem ManagementMcBSP command:Control Input (Request Command)McBSP command:Status Output (Response Command)
User/Crypto OfficerKey ManagementMcBSP command:Control Input or Data Input (Request Command)McBSP command:Status Output or Data Output (Response Command)
4.3 Approved Services
Page 12
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Show Key StatusProviding the crypto parameter.O/UN/AN/AN/AN/A
Show StatusShowing current statusO/UN/AN/AN/AN/A
Show VersionShow module’s versioning informationO/UN/AN/AN/AN/A
System ManagementZeroising various setting valuesOTEK, HMAC KeyN/AZN/A
Decryption (non-approved)Decoding from ciphertext to plaintextO/UDES-OFBN/A
Encryption (non-approved)Encoding from plaintext to ciphertextO/UDES-OFBN/A
Key ManagementChanging/Adding/Gen erating/Zeroising crypto key and module parameter.O/UAES-CBC-MAC AES-ECB CTR_DRBG DES-ECB PRNGN/A

N/A N/A O/U N/A N/A N/A N/A O/U N/A N/A N/A N/A O/U N/A N/A N/A O Z N/A Table 7: Approved Services O = Crypto Officer U = User G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 8: Non-Approved Services O/U N/A O/U N/A O/U N/A

4.5 External Software/Firmware Loaded

The firmware update is performed via the Firmware Update service, which executes the firmware load test.

4.6 Bypass Actions and Status

This module does not support a bypass capability.

4.7 Cryptographic Output Actions and Status

This module does not support a self-initiated cryptographic output capability.

Page 13
5 Software/Firmware Security

The module’s firmware is provided as the 3059C3_16.MOT (boot and application firmware) or 3059C3_16(F).MOT (just application firmware) binary images.

5.1 Integrity Techniques

The module uses CRC-32 as EDC method for the integrity testing.

5.2 Initiate on Demand

The software/firmware integrity test is performed every time the module is started / rebooted.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: As shown in Table 1 this cryptographic module operates at security level 1. The module maintains control of its own SSPs retained within the module. The module’s operational environment consists of firmware with access to SSPs managed wholly by the module itself. Please see Section 9 for SSP details.

6.2 Configuration Settings and Restrictions

This module is a hardware module with a limited operational environment. Cryptographic module stores firmware to flash ROM within cryptographic boundary. .

7 Physical Security
7.1 Mechanisms and Actions Required

This is multi-chip embedded cryptographic module. The circuitry uses standard passivation techniques and meets Security Level 1. This plug-in module is contained within a production grade radio enclosure and uses commercially available IC chips.

8 Non-Invasive Security

The cryptographic module does not have the non-invasive mitigation techniques.

Page 14
Sensitive security parameter
NameTypeDescriptionStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
EEPROMStaticFor Cryptographic key
DSP RAMDynamicFor Temporary SSPs
TEK (Traffic Encryption Key)256-bitsAES-OFB A1399N/AN/AEEPROM (Plaintext)Used for encryption/ decryption of voice traffic through the module's host radio.KFD* ProtocolZeroise command from McBSP interface
HMAC Key256-bitsHMAC- SHA-1 A1399Manufactur er pre- loadedN/AEEPROM (Plaintext)Used for updating the firmware.N/AZeroise command from McBSP interface
Service
NameApproved FunctionsTypeFromToDistribution TypeEntry Type
KFD* ProtocolNonePlaintextKey Fill DeviceEEPROM or DSP RAMManualElectronic
Sensitive security parameter
NameTypeDescriptionStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
EEPROMStaticFor Cryptographic key
DSP RAMDynamicFor Temporary SSPs
TEK (Traffic Encryption Key)256-bitsAES-OFB A1399N/AN/AEEPROM (Plaintext)Used for encryption/ decryption of voice traffic through the module's host radio.KFD* ProtocolZeroise command from McBSP interface
HMAC Key256-bitsHMAC- SHA-1 A1399Manufactur er pre- loadedN/AEEPROM (Plaintext)Used for updating the firmware.N/AZeroise command from McBSP interface
MethodDescriptionRationaleOperator Initiation Capability
Zeroise commandMcBSP Command: Control Input / Status OutputZeroising Key in EEPROM or DSP RAMStarting with Operator's invocation. Determining whether the procedures were successful with Status Output.
Power lostModule power lostZeroising SSP in volatile memoryOperator's invocation.
9 Sensitive Security Parameters Management
9.1 Storage Areas
9.3 SSP Zeroization Methods

Table 11: SSP Zeroization Methods h N/A er preloaded N/A Table 12: SSPs

Page 15
NumberByte SizeInformationLogical Interface
$011Show Status (see Table 7) $00=Program Running $01=Initial SequenceStatus Output

*Key Fill Device (Key Loader)

9.5 Transitions

The cryptographic module is not subject to transitions.

9.6 Additional Information

Keys/SSPs used in the approved mode shall not be used in the non-approved mode and vice-versa. The cryptographic module does not support manual key entry. Please note that Zeroise command from McBSP interface is used for changing the key data in DSP RAM. Then, those updated key data will be written to EEPROM.

10 Self-Tests
10.1 Pre-Operational Self-Tests

Pre-Operational self-tests: Pre-Operational software/firmware integrity test; Firmware Integrity Test (CRC-32)

10.2 Conditional Self-Tests

Conditional self-tests: Cryptographic Algorithm Self-Tests AES-ECB Encrypt Known Answer Test (256-bit key)* AES-ECB Decrypt Known Answer Test (256-bit key)* AES-CBC Encrypt Known Answer Test (256-bit key)* AES-CBC Decrypt Known Answer Test (256-bit key)* AES-OFB Encrypt Known Answer Test (256-bit key) AES-OFB Decrypt Known Answer Test (256-bit key) HMAC-SHA-1 Known Answer Test *Algorithm only used for self-tests in approved mode. Conditional software/firmware load test; Firmware load test (HMAC-SHA1 w/ 512-bit key) Conditional Critical Functions Test 32-bit CRC check on Electronically Entered keys

10.3 Periodic Self-Test Information

The module does not perform periodic self-tests.

10.4 Error States
Page 16
ValueStatusFinite State Model
$00Program RunningIdle
$01Initial SequenceApplication Initialization, Application Self-Test, Database Load
$02Firmware UpdateFirmware Update
$03EEPROM ErrorBoot EEPROM Error, Application EEPROM Error
$04Boot Self-Test ErrorBoot Self-Test Error
$05Application Self-Test ErrorApplication Self-Test Error

Table 13: Error Indicators Table 14: Error Status

10.5 Operator Initiation of Self-Tests

The module’s pre-operational self-tests and conditional CASTs can be performed on demand by power cycling the module.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Install For the cryptographic module installation, refer the radio service manual. Secure Initialization Proper keys must be loaded into the module. Key Loading Instructions Crypto-Officer may load keys into the modules using the key loader devices. The radio hardware communicates with the module through the defined ports. Each key loaded into the module has an associated key ID which is used to associate the key with a given radio channel. Operation of the module The cryptographic module contains non-approved security functions. Only services which utilize approved security functions are indicated as such by the module.

11.2 Administrator Guidance

Please refer to the McBSP command guidance.

11.3 Non-Administrator Guidance

Please refer to the McBSP command guidance.

Page 17
11.4 Design and Rules

The security rules presented below are a combination of those required by FIPS140-3 for Level 1 secure use and the security rules separately implemented by Icom Inc. FIPS 140-3 Security Rules: Only approved algorithms can be used, and the use of RNG, DES is not allowed in the approved mode of operation.

11.5 Maintenance Requirements

The cryptographic module is composed of production grade components which do not require any maintenance or inspection by the user to ensure security.

11.6 End of Life

When distributing or discarding the cryptographic module to other operators, send the McBSP command "All Key Zeroise" ($ 77) to initialize and sanitize all cryptographic keys (SSPs). (Since the cryptographic module does not perform Operator Authentication, it does not retain authentication data.)

12 Mitigation of Other Attacks

This module does not support other attack mitigation.