CMVP · FIPS 140-3 validated-module corpus

What a FIPS 140 certificate actually tells you

Read across the public corpus, FIPS certificates and their Security Policies are a structured record of how cryptographic systems are built, validated, and maintained. They show the trusted-computing-base surfaces around each module, how far its components have drifted since validation, and where a security review should look first.

415 modules136 with full SP extractionref 2026-07#4650–#5159source: CMVP + NVD
415
modules analyzed
#4650–#5159
60 mo
median active window
listed-valid: validation → sunset
78%
no recorded update
324 of 415 certificates
0%
lattice PQC present
ML-KEM / ML-DSA / SLH-DSA
70%
carry a legacy primitive
SHA-1 / ECB / 3DES

Executive finding. A FIPS certificate and its Security Policy are a structured, corpus-wide security record, and this report reads them for what they reliably deliver: a map of the trusted-computing-base surfaces around each module (§6), a measure of how far its named components have drifted since validation (§5), and a ranked view of where a review should look first (§9). A certificate attests one module version, in one approved-mode configuration, at one moment, so it is best read as a map of what to verify in a deployment, which is exactly what makes these artifacts a fast way to aim that verification.

Terminology. Throughout, “certificate” / “validation” / “update” refer to the CMVP FIPS 140-3 validation certificate and its validation-history events, not an X.509/TLS certificate.

Corpus composition. The corpus is a near-census of the 415 FIPS 140-3 modules validated in cert window #4650–#5159. Lifecycle, archetype, algorithm and component-drift findings use all 415. The Security-Policy-structure findings, TCB surfaces (§6), review-priority (§9, §10) and document quality (§11), require the full pdfplumber SP extraction and are computed over the 136 modules that carry it; the rest are metadata-and-text records fetched from CMVP.

Part I
What a certificate proves
A CMVP certificate attests a module version, once. This part establishes exactly what that certifies, and how to read it.

0Corpus confidence

reference date2026-07
range sweptcert #4650–#5159 (near-census of FIPS 140-3 in this window)
140-3 modules415 (span #4650–#5159)
status{'Active': 382, 'Historical': 33}
with validation dates414/415
with dated SP revision tables3/415 (dev-span directional)
dedup ruleone record per certificate number; cross-cert rebrand/re-validation chains NOT yet merged

The decision model, what actually backs deployed FIPS?

The whole analysis is the evidence layer for one reviewer decision: from “product claims FIPS” down to “is the deployed crypto function the same validated version, in approved mode?”, and on any mismatch, “was it a patch inside or outside the module boundary?” (the security-vs-compliance fork). Corpus data populates the branches below.

flowchart TD
  A["Product claims FIPS 140 support"] --> B["CMVP certificate for the module?"]
  B -->|No| Z["No public FIPS validation evidence"]
  B -->|Yes| C["Certificate status / assurance type?"]
  C -->|Active full validation| D["Check deployed module identity"]
  C -->|Interim validation| C1["Interim CMVP assurance
2-yr window, reduced review depth"] C -->|Historical / revoked| C2["Exists, but not current active assurance"] C1 --> D C2 --> D D --> E["Deployed version = certificate version?"] E -->|Yes| F["Check operational environment"] E -->|No / unknown| G["Certified-state drift"] F --> H["Deployed OE = listed / allowed OE?"] H -->|Yes| I["Check approved mode"] H -->|Porting rules used| H1["Vendor/User affirmation
limited assurance"] H -->|No / unknown| G H1 --> I I --> J["Operated per Security Policy?"] J -->|Yes| K["Check services / algorithms"] J -->|No / unknown| G K --> L["Only approved services / algorithms?"] L -->|Yes| M["Strongest deployed FIPS evidence"] L -->|No / unknown| N["Validated module, use outside approved mode"] G --> O["Caused by a patch/update?"] O -->|Outside crypto boundary| P1["May preserve validation if boundary/OE unchanged"] O -->|Inside crypto boundary| Q["Security/compliance fork:
patched but not validated until cert update"] O -->|Unknown| R["Opacity gap: need vendor evidence"]

Corpus populates the branches: status/assurance, Full 200 · Interim 146 · other 69; ever updated, 22% (so most are frozen at the “version = certified?” branch); drift, measured in §5 (OpenSSL providers ~39–40 upstream CVEs since cert); the patch-boundary fork and OE/mode branches need per-module Security-Policy + vendor evidence (the opacity gap a data layer surfaces).

Part II
The certified state, and how it freezes
How long certificates stay valid, how rarely they are re-validated, and how that frozen snapshot drifts.

1Lifecycle & certificate window

CMVP certificate active window (n=381)

60 months

median (mean 51). The active window is how long CMVP lists a certificate as valid, from initial validation to sunset (its removal from the active list). It is the module's certification lifetime, not an X.509 certificate's validity period, and it measures the certified state's shelf life, not vulnerability exposure (see §9).

Development→certificate (directional, n=3)

~32 mo

where the SP ships a dated revision table (small sample, anecdote, not a corpus statistic). Consistent with a published external industry estimate (~19 mo post-submission / ~24–36 mo end-to-end; provided, not corpus-derived).

Volume context (external input, provided, not corpus-derived): active 140-3 certs by year run 2022:6 · 2023:6 · 2024:176 · 2025:163 · 2026-YTD:265, a transition-driven surge (~500/yr). The population skews to very recent certificates, so the freeze/exposure patterns are structural and will bite as the 2024–26 cohort ages inside its window without updates.

Assurance type, certificates differ in what backs them

Full (5-yr)200 mod
Interim (2-yr)146 mod
Other/unclear69 mod
Interim Validation (35% here), a backlog-reduction path CMVP launched 2024-06-06: CMVP-issued but relying more on the CSTL submission with less CMVP review depth, initially with a shorter active window (it can follow a path to a full five-year period). Detected authoritatively from the CMVP caveat ('Interim validation…'), not from certificate duration. Two further grades, vendor/user affirmation (unlisted OE, CMVP makes no statement) and vendor-affirmed algorithms (CAVP transition, no CMVP/CAVP assurance), aren't in cert metadata but matter: the buyer question is what kind of assurance backs the deployed state, not merely 'is there a certificate?'

2CMVP re-validation cadence

How often a certificate carries an Update entry (any kind, security, version, OE, administrative, or rebrand; we do not yet classify the type). If a certificate is never updated, public CMVP evidence does not show that later product fixes, firmware updates, or dependency changes are part of the validated configuration.

Updates per module

0 update(s)324 modules
1 update(s)66 modules
2 update(s)21 modules
3 update(s)3 modules
4 update(s)1 modules

Cadence

22%
≥ 1 CMVP validation update
6 mo
median gap between validations
0.3
avg updates / module

Certificate families and successors (the “never updated” caveat)

A per-certificate “never updated” can understate maintenance: a vendor often validates a successor under a new certificate number instead of updating the old one. Clustering the 415 certificates into 360 product families (normalized vendor + de-noised module name; 44 span more than one certificate) shows 43 of the 324 never-updated modules (13%) have a later-validated family-mate, a likely successor rather than an abandoned certificate. It is a conservative, deterministic lower bound (no NIST “replaced-by” data), so the true successor share is at least this; the rest is the genuinely-frozen population.

largest product familiescertificates
Cisco Adaptive Security Appliance Cryptographic Module (FPR 1000 Series)…#4966, #5066, #5067, #5069
Cisco Secure Firewall Threat Defense Cryptographic Module (FPR 1000 Series)…#4979, #5035, #5070, #5071
Apple corecrypto Module v12.0 [Apple silicon, Kernel, Software, SL1] / Apple…#4854, #5050, #5101
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] / Apple…#4817, #5065, #5108
BoringCrypto#4735, #4953, #5104
Nuvoton Cryptographic Library 2.0 / Nuvoton Cryptographic Library 2.3…#4954, #5008, #5098
Part III
Inside the validated boundary
What cryptography the certificate actually covers, from the algorithms in use to the legacy still present to post-quantum readiness.

3Cryptographic posture, specific algorithms

1949 distinct normalized approved-algorithm labels (operation-level, e.g. “RSA SigVer”, “ECDSA KeyGen”, not distinct primitives); median 27 per module. Presence ≠ insecure use, legacy primitives are often retained for verify-only/legacy paths, and AES-ECB is a building block; the signal is breadth of the approved surface.

Most common algorithms

SHA2-256300 mod
AES-CBC270 mod
HMAC-SHA2-256269 mod
RSA SigVer264 mod
SHA2-384256 mod
AES-ECB246 mod
SHA2-512244 mod
ECDSA KeyGen240 mod
ECDSA SigVer239 mod
SHA-1238 mod
HMAC-SHA-1234 mod
AES-GCM233 mod
Counter DRBG232 mod
HMAC-SHA2-384232 mod

Legacy present (% of modules)

SHA-157.3%
HMAC-SHA-156.4%
Triple-DES11.1%
AES-ECB59.3%

Modern present (%)

SHA-3/SHAKE33.3%
AES-GCM (AEAD)56.1%
SP800-56 KAS54.9%
PBKDF32.8%
modern KDF60.0%

4Post-quantum readiness

10/415 (2%) list any PQC algorithm, but composition matters: it is almost entirely stateful hash-based signatures (LMS/HSS, SP 800-208) for firmware signing. Adoption of the new lattice standards ML-KEM/ML-DSA (FIPS 203/204) and SLH-DSA (FIPS 205) is effectively zero (lattice module(s): [], under the pre-standard 'Kyber' name).

PQC by NIST family (% of modules)

stateful hash-sig (SP800-208: LMS/XMSS)2.2%
ML-KEM (FIPS 203)0.0%
ML-DSA (FIPS 204)0.0%
SLH-DSA (FIPS 205)0.0%
pre-standard PQC name (Kyber/Dilithium/SPHINCS+)0.2%
other PQC candidate0.0%

Specific PQC algorithms

HSS9 mod
LMS9 mod
KYBER1 mod
Part IV
The trusted computing base around the module
What the Security Policy reveals about the boot chain, firmware, components, and interfaces the module's security rests on.

5Component identification & drift

Components are identified generically, a full-record scan (module name + software/firmware versions + SP body/tables) against an extensible, CPE-mapped catalog (generic whole-record scanning rather than certificate-specific rules). Strong = the module names/ships it (name/version field); a CPE enables the NVD drift join below.

Naming the actual code is the highest-resolution view of a module's trust boundary the public record offers, and the sparsest: it exists only where a component is named. It is the component-level counterpart to the surface-level TCB view in §6, which stays visible for the many modules that name nothing. Where this section goes dark, §6 still sees the surface.

Named components (strong, 89 modules)

OpenSSL36 mod
Linux kernel23 mod
libgcrypt7 mod
GnuTLS7 mod
NSS6 mod
Bouncy Castle4 mod
U-Boot3 mod
wolfSSL2 mod
strongSwan1 mod

Beyond crypto libraries

Because identification is generic, the scan also names bootloaders, firmware, and OS-kernel components that a crypto-library shortlist would miss:

U-Boot (#4700, #4703, #4745); Linux kernel (#4726, #4727, #4739, #4744, #4750, #4764, #4776, #4796, #4804, #4808, #4815, #4863, #4865, #4894, #5034, #5036, #5086, #5089, #5094, #5095, #5097, #5112, #5113); strongSwan (#4911)

One of these, U-Boot inside HSMs, is consequential enough for its own spotlight below.

The boot chain is a first-class security property

For a hardware crypto module the boot chain is the root of trust: if secure-boot or firmware-signature verification can be bypassed, the whole validated crypto boundary can be swapped out underneath the certificate. So the corpus treats boot integrity as a population, not an anecdote, keyed to archetype rather than to whether one component happened to be named. Across the archetypes where it is a core property, 27 of the 32 hardware modules (HSM, secure element, network appliance) expose a boot-integrity, firmware-update, or firmware-trust-anchor surface.

Boot-related surface, by archetype

Secure element/SoC16 mod
Other7 mod
Network appliance7 mod
HSM/accelerator4 mod
Software crypto library3 mod

By TCB surface (§6)

boot-chain verification9 mod
firmware-update authentication20 mod
HSM/SE firmware trust anchor20 mod

A module can match more than one; these are architectural patterns where the bug class matters, not vulnerabilities.

The bootloaders the corpus can name

Identifying the surface is generic; naming the component is the ceiling. Only where a module names a CPE-mappable bootloader can the corpus move from “has a boot chain” to “check this CVE.” Today that is 3 modules, all shipping U-Boot inside the boundary, the exact surface Binarly's U-Boot FIT signature-verification bypass (CVE-2026-46728, U-Boot < 2026.04) targets:

certmodulecomponentversion as listedvalidatedupstream CVEs since initial validation
#4700NITROXIII CNN35XX-NFBE HSM FamilyU-Boot4.032024-0510
#4703Marvell LS2 HSM FamilyU-Boot10.012024-0610
#4745nShield 5s Hardware Security ModuleU-Boot1.1.02024-0710

How to use this. Make boot-chain review standard for any hardware crypto module: the corpus reliably flags the whole population that carries the surface. Where the bootloader is named, rebase its version against CVE-2026-46728; where it is not, the flagged surface is the prompt to ask the vendor for the actual boot-loader lineage. Either way the output is a concrete next step.

Component drift, the certified-state freeze, measured

For modules that wrap a well-known upstream (OpenSSL, GnuTLS, libgcrypt, Linux kernel, NSS), this counts CVEs disclosed in that upstream component (CPE-matched in NVD) since the module's initial validation date. It measures how far the upstream has moved past the certified snapshot.

Coverage is component-shaped, and mostly crypto libraries. A drift signal is only possible where a module both names a component and that component maps to an NVD CPE. That holds for 85 of 415 modules (OpenSSL 36, Linux kernel 23, GnuTLS 7, libgcrypt 7, NSS 6, U-Boot 3, wolfSSL 2, strongSwan 1). The other 330, disproportionately the hardware, firmware, and appliance modules, name no CPE-mappable component, so they get no component-level drift signal at all. That blank is a prompt: for the hardware, firmware, and appliance modules where boot and firmware integrity matter most (the spotlight above), the component is simply unnamed at this resolution, so §6 reads them at surface resolution instead, where they stay legible.

Read carefully, this is a drift/pressure indicator, NOT a vulnerability count for the module. The certified version may or may not be affected by any given CVE, and distros routinely back-port fixes without re-validating. For the Linux kernel the count spans the whole kernel, most of it outside the crypto subsystem. The number answers 'how much has the named upstream churned since this certificate froze', which is the question a reviewer should then run down.

Crypto-library modules, by upstream CVE drift since validation

certmoduleupstreamvalidatedupdatesupstream CVEs since initial validation
#4718wolfCryptwolfSSL2024-07286
#5041wolfCryptwolfSSL2025-07079
#4724KeyPair FIPS Provider for OpenSSL 3OpenSSL2024-07240
#4725SUSE Linux Enterprise OpenSSL Cryptographic ModuleOpenSSL2024-07140
#4729Linux OpenSSL FIPS ProviderOpenSSL2024-07040
#4746Red Hat Enterprise Linux 9 OpenSSL FIPS ProviderOpenSSL2024-07040
#4775Junos® OS Evolved OpenSSL Cryptographic ModuleOpenSSL2024-09040
#4779Oracle Linux 9 OpenSSL FIPS ProviderOpenSSL2024-08140
#4794Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic ModuleOpenSSL2024-09040
#4823OpenSSL FIPS Provider for AlmaLinux 9OpenSSL2024-10039
#4857Red Hat Enterprise Linux 9 - OpenSSL FIPS ProviderOpenSSL2024-10139
#4876Hewlett Packard Enterprise OpenSSL 3 ProviderOpenSSL2024-11239
#4885ZPE Systems FIPS Provider for OpenSSL 3OpenSSL2024-11039
#4886Gallagher FIPS Provider for OpenSSL 3OpenSSL2024-11139
#4888Keysight OpenSSL 3 FIPS Provider for Network VisibilityOpenSSL2024-11239
#4889AIX FIPS Crypto Provider for OpenSSL 3OpenSSL2024-11239
#4923HID/Mercury FIPS Provider for OpenSSL 3OpenSSL2024-12139
#4926Tanium FIPS OpenSSL 3.0 ModuleOpenSSL2024-12039
#4929Aruba OpenSSL ModuleOpenSSL2024-12039
#4981Covidence FIPS Provider for OpenSSL 3OpenSSL2025-03139
#4985OpenSSL FIPS ProviderOpenSSL2025-03139
#5021Amazon Linux 2023 OpenSSL FIPS ProviderOpenSSL2025-05039
#5023OpenSSL Cryptographic ModuleOpenSSL2025-06039
#5073ICU Medical FIPS Module for OpenSSL 3OpenSSL2025-09238
#5096SUSE Linux Enterprise OpenSSL 3 Cryptographic ModuleOpenSSL2025-11138
#5102Chainguard FIPS Provider for OpenSSLOpenSSL2025-12038
#5115Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic ModuleOpenSSL2026-01038
#5116Rocky Linux 9 OpenSSL FIPS ProviderOpenSSL2026-01038
#5132Chainguard FIPS Provider for OpenSSLOpenSSL2026-01038
#5145PreVeil Cryptographic Module based on the OpenSSL FIPS ProviderOpenSSL2026-01038
#5147VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS ProviderOpenSSL2026-01038
#5149Musarubra US LLC FIPS Provider based on the OpenSSL FIPS ProviderOpenSSL2026-01038
#5154NetApp Cryptographic Security Module (NCSM) based on the OpenSSL FIPS ProviderOpenSSL2026-02038
#5155Juniper FIPS Provider based on the OpenSSL FIPS ProviderOpenSSL2026-02038
#5156Veeam Cryptographic Module based on the OpenSSL FIPS ProviderOpenSSL2026-02038
#5157Digi DAL OS based on the OpenSSL FIPS ProviderOpenSSL2026-02138
#5158Dell FIPS Module based on the OpenSSL FIPS ProviderOpenSSL2026-02038
#5159BigFix Encryption Module based on the OpenSSL FIPS ProviderOpenSSL2026-02038
#4742SUSE Linux Enterprise GnuTLS Cryptographic ModuleGnuTLS2024-0709
#4780Red Hat Enterprise Linux 9 gnutlsGnuTLS2024-0809
#4846Red Hat Enterprise Linux 9 gnutlsGnuTLS2024-1019
#4855Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic ModuleGnuTLS2024-1009
#5015Amazon Linux 2023 GnuTLS Cryptographic ModuleGnuTLS2025-0509
#5037Oracle Linux 9 GnuTLS Cryptographic ModuleGnuTLS2025-0719
#5049GnuTLS cryptography module for AlmaLinux 9GnuTLS2025-0709
#4722SUSE Linux Enterprise Libgcrypt Cryptographic Modulelibgcrypt2024-0702
#4754Red Hat Enterprise Linux 9 libgcryptlibgcrypt2024-0802
#4793Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Modulelibgcrypt2024-0902
#4971Amazon Linux 2023 Libgcrypt Cryptographic Modulelibgcrypt2025-0202
#4993Oracle Linux 9 libgcrypt Cryptographic Modulelibgcrypt2025-0322
#5060Libgcrypt cryptography module for AlmaLinux 9libgcrypt2025-0922
#5117Rocky Linux 8 and 9 libgcrypt Cryptographic Modulelibgcrypt2026-0102
#4728SUSE Linux Enterprise NSS Cryptographic ModuleNSS2024-0700
#4774Red Hat Enterprise Linux 9 NSS Cryptographic ModuleNSS2024-0800
#4801Oracle Linux 9 NSS Cryptographic ModuleNSS2024-0900
#4911Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic ModulestrongSwan2024-1200
#5014Amazon Linux 2023 NSS Cryptographic ModuleNSS2025-0510
#5022Red Hat Enterprise Linux 9 NSS Cryptographic ModuleNSS2025-0500
#5031NSS cryptography module for AlmaLinux 9NSS2025-0600

Source: NVD CVE API v2 (CPE virtualMatchString), quarterly counts, as of 2026-07.

Linux-kernel modules (23): upstream CVE counts since cert range 3932–10212, but that is whole-kernel volume, the vast majority outside the crypto subsystem, so it overstates crypto-relevant drift and is kept separate from the table above.

Version-exact CVEs, drift narrowed to the certified version

Drift counts the whole component, incl. newer branches the module doesn't run. Intersecting the certified version with each CVE's NVD affected-range gives the defensible count:

certcomponentcertified verdriftversion-exacte.g.
#4775OpenSSL3.0.84025CVE-2024-6119, CVE-2025-15467
#4823OpenSSL3.0.73924CVE-2025-15467, CVE-2025-68160
#4754libgcrypt1.10.021CVE-2026-41989
#4793libgcrypt1.9.421CVE-2026-41989

~24–25 of the ~39–40 OpenSSL drift CVEs affect the exact certified 3.0.x version (≈62%). Method: NVD v2 virtualMatchString=cpe:…:<version>; counted where published ≥ validation date; Rejected/Disputed excluded. Upper-bound caveat: distros back-port fixes without bumping the version string, and this is CVE disclosure, not a vuln or FIPS-boundary claim. Version captured for 4 of 19 component modules (rest have empty softwareVersions, coverage gap).

6TCB surfaces visible in public FIPS artifacts

FIPS validation certifies a defined cryptographic-module boundary; the security of that boundary usually depends on the surrounding trusted computing base (TCB): the boot chain, firmware-update path, debug/recovery controls, host/OE dependencies, network-management services, and secure-element/HSM trust anchors. A Security Policy is not an SBOM, but it is often enough to sketch the core TCB surfaces around the module, which is a more useful thing to ask of it than deployment proof.

What “TCB surface” means here. Public evidence of the mechanisms that decide whether the validated cryptographic boundary stays the code and configuration users rely on: the boot chain, firmware-update path, debug/recovery controls, host/OE dependencies, and trust anchors. Each surface below is an architectural pattern (a motif) matched from public signals, so a match locates the surface where that bug class would matter, pointing a review straight to where to look.

TCB-surface frequency

debug/recovery interface25 mod
network crypto parser/protocol24 mod
HSM/SE firmware trust anchor20 mod
firmware-update authentication20 mod
boot-chain verification9 mod
kernel crypto consumer9 mod
TCB-adjacent surfacencorpus signalwhy it matterswhat to confirm next
boot-chain verification9secure/verified boot, ROM, bootloader (U-Boot), FIT imageRuns before the crypto boundary; can replace or subvert validated code at the earliest root of trust.exact bootloader version, whether the affected path is built in, exploitability.
firmware-update authentication20firmware update, signed image, LMS/HSS, anti-rollbackGoverns whether patched or swapped code can enter the boundary, and whether it can be rolled back.whether the implementation is vulnerable.
debug/recovery interface25JTAG, UART, SPI, I²C, USB/DFU, recovery modeA local path that can bypass normal runtime controls and reach keys or state directly.whether it is enabled in production.
kernel crypto consumer9Linux kernel, OS/kernel crypto, IPsec / dm-crypt / TLS offloadThe host / operational environment mediates access to the module's keys and services.which subsystem is actually enabled/exposed.
network crypto parser/protocol24TLS / SSH / IKE via OpenSSL, GnuTLS, mbedTLS, wolfSSLThe likely path where untrusted parsers and authentication controls meet the crypto.whether the vulnerable path is reachable pre-auth.
HSM/SE firmware trust anchor20HSM, secure element / SoC, sub-chip, firmware versionsHigh-impact root of key custody; the device's whole trust chain hinges on its firmware lineage.firmware lineage, patchability, production config.

Every row reads the same way: the corpus locates the surface, external research supplies the bug class. The boot-chain row is worked through in the §5 spotlight (three HSMs naming U-Boot, mapped to Binarly's CVE-2026-46728); the others are the questions a reviewer should raise for a module of that shape.

Bottom line: public FIPS artifacts are genuinely useful TCB-surface evidence. They reveal where boot, firmware-update, debug/recovery, host/OE, network-service, and component-version questions should be asked, turning a certificate into a map of what to verify. Where a component is unnamed (§5), that map still marks the spot to check.

7What the devices expose

Exposed interfaces

Network/Ethernet23 mod
Serial/UART16 mod
Console16 mod
USB12 mod
PCIe6 mod
SMBus/I2C5 mod
SPI4 mod
JTAG3 mod
GPIO2 mod
Wireless2 mod

Algorithm families

SHA-2310 mod
AES309 mod
DRBG295 mod
HMAC295 mod
RSA268 mod
ECDSA250 mod
KDF/KBKDF249 mod
ECDH/KAS232 mod
SHA-3142 mod
Triple-DES48 mod
EdDSA31 mod
PQC10 mod

Security level

Level 1295 mod
Level 284 mod
Level 336 mod

Type / embodiment

Hardware157 mod
Software214 mod
Firmware16 mod
Software-hybrid12 mod
Firmware-hybrid16 mod
Multi-Chip Stand Alone312 mod
Single Chip68 mod
Multi-Chip Embedded33 mod
MultiChipStand2 mod

8Device classification

Coarse taxonomy from name + vendor + type + embodiment. The classes behave very differently, chips are frozen silicon (rarely re-validated), HSMs are actively maintained (100% re-validated), network appliances are well-documented but re-validate less, and software carries the broadest crypto surface.

classndoc gradeexposure windowre-validatedPQCmedian algos
Software / Library23027.556.0 mo27%4%44.0
Other Hardware8619.660 mo20%0%9.0
Chip / Secure Element5229.560 mo2%0%11.0
Network Appliance2837.560.0 mo11%0%25.0
HSM1036.460 mo70%0%57.0
Firmware929.142.0 mo11%0%32
Part V
Where to look first
Turning the evidence into a prioritized review queue, ranking which modules and which questions come first.

9Risk-triage lens

An active module whose last validation is old and which exposes a remote/networked interface is where an unpatched CVE would matter, its certified state predates the fix and no re-validation has pulled the fix in. This is the internal signal to correlate against external CVE/advisory timelines (NVD, vendor PSIRTs).

100%
still active
15.0
median months since last validation
8
stale + network-relevant
active, ≥18mo stale, networked iface

Stale + network-relevant modules (triage queue)

certmodulesince last val.interfacesever updated?
#4733Device Cryptographic Module24 moNetwork/Ethernetnever
#4742SUSE Linux Enterprise GnuTLS Cryptograph24 moNetwork/Ethernetnever
#4751Nokia 1830 Photonic Service Switch (PSS)23 moNetwork/Ethernet, Serial/UART, USBnever
#4832Ruckus FastIron ICX ™ 7450 Series Switch21 moConsole, Network/Ethernetnever
#4835Forcepoint NGFW Cryptographic Kernel Mod21 moConsolenever
#4850Quantum Xchange Phio TX21 moConsole, Network/Ethernet, Serial/UART, USBnever
#4907Mediant 800 Session Border Controller/Me19 moNetwork/Ethernet, Serial/UART, USBnever
#4916AP-514, AP-515, AP-534, AP-535, AP-584, 19 moNetwork/Ethernet, Wirelessnever

10Operational archetypes & review-priority

Embodiment (hw/sw/fw) is too coarse for risk. Operational archetype captures the attack path and lets reachability be weighted by class, a network interface on a software library is host-mediated (the app listens, not the module), on a network appliance it is the management/data plane. Review priority = Likelihood + Impact as ordinal ranks (a rank sum, not a product) banded into tiers, explicit rules, no weighted coefficients; measured upstream CVE drift weighs most (real evidence, not heuristic). The tiers are review-order candidates, not vulnerability severities.

Archetype mix

Software crypto library217 mod
Other66 mod
Secure element/SoC43 mod
Network appliance28 mod
OS/kernel crypto24 mod
Cloud/virtual appliance17 mod
HSM/accelerator10 mod
Storage/data-at-rest9 mod
Firmware/boot1 mod

Review-priority distribution

Medium71 mod
Low31 mod
High29 mod
Critical5 mod

Impact is a documented expert prior per archetype; Likelihood = archetype-weighted reachability + never-updated + ≥18mo stale + upstream CVE drift.

Update behavior by archetype (which classes get patched, which stay frozen)

archetypemodulesnever updatedmedian months since last validation
Secure element/SoC4398%16 mo
Network appliance2889%16.5 mo
OS/kernel crypto2488%16 mo
Cloud/virtual appliance1788%18 mo
Other6680%18 mo
Software crypto library21774%14 mo
Storage/data-at-rest956%13 mo
HSM/accelerator1030%13.5 mo
Firmware/boot10%3 mo

The classes that are hardest to reship are the ones that go unpatched. Secure elements and SoCs, where the cryptography is baked into silicon and a change means a new part, are the least maintained (98% show no CMVP update). HSM/accelerator modules are the best maintained (30% never updated, n=10), consistent with serviceable devices carrying an ongoing vendor maintenance relationship, though that count is still small. Two confounders keep this a heuristic, not a law: many software libraries ship a new certificate per release rather than an update entry on the old one, so their no-update share overstates how frozen any given deployment is; and a missing update entry is a maintenance-friction proxy, not proof a module is insecure. Read it alongside the median-staleness column, which shows how long each class's certified state has actually stood.

Highest-priority review candidates (ranked, start here)

prioritycertarchetypewhyevidence confidence
Critical#4712Cloud/virtual applianceCloud/virtual appliance; names service https/ike/ipsec (service-path signal high, deployment reachability likely); no CMVP validation update; 25mo stalesvc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a
Critical#4751Network applianceNetwork appliance; names service snmp/ssh/tls (service-path signal high, deployment reachability likely); no CMVP validation update; 23mo stalesvc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a
Critical#4832Network applianceNetwork appliance; names service admin/ike/ipsec (service-path signal high, deployment reachability likely); no CMVP validation update; 21mo stalesvc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a
Critical#4907Network applianceNetwork appliance; names service ssh/syslog/tls (service-path signal high, deployment reachability likely); no CMVP validation update; 19mo stalesvc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a
Critical#4916Network applianceNetwork appliance; names service ike/ipsec (service-path signal high, deployment reachability likely); no CMVP validation update; 19mo stalesvc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a
High#5021Software crypto librarySoftware crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 39 CVEs in named component/version since certsvc-path:high · deploy-reach:unknown · ver-CVE:medium · drift:high
High#5132Software crypto librarySoftware crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 38 CVEs in named component/version since certsvc-path:high · deploy-reach:unknown · ver-CVE:medium · drift:high
High#4775Software crypto librarySoftware crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 22mo stale; 25 CVEs in named component/version since certsvc-path:high · deploy-reach:unknown · ver-CVE:high · drift:high
High#4823Software crypto librarySoftware crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 21mo stale; 24 CVEs in named component/version since certsvc-path:high · deploy-reach:unknown · ver-CVE:high · drift:high
High#4650Secure element/SoCSecure element/SoC; reach=low (deployment reachability unknown); no CMVP validation update; 32mo stalesvc-path:low · deploy-reach:unknown · ver-CVE:n/a · drift:n/a
High#4727OS/kernel cryptoOS/kernel crypto; reach=low (deployment reachability unknown); no CMVP validation update; 24mo stalesvc-path:low · deploy-reach:unknown · ver-CVE:medium · drift:n/a
High#4748Secure element/SoCSecure element/SoC; reach=low (deployment reachability unknown); no CMVP validation update; 23mo stalesvc-path:low · deploy-reach:unknown · ver-CVE:n/a · drift:n/a
High#4772Secure element/SoCSecure element/SoC; reach=low (deployment reachability unknown); no CMVP validation update; 23mo stalesvc-path:low · deploy-reach:unknown · ver-CVE:n/a · drift:n/a
High#4796OS/kernel cryptoOS/kernel crypto; reach=low (deployment reachability unknown); no CMVP validation update; 22mo stalesvc-path:low · deploy-reach:unknown · ver-CVE:medium · drift:n/a

Critical = network-appliance archetypes naming a reachable service (TLS/SSH/IPsec/admin), no cert update, stale, attack-path candidates requiring confirmation. High = OpenSSL providers that consume TLS/SSH with measured CVE drift, plus long-stale secure elements/kernels. 'reach' confidence is high only when a consuming network service is named, medium for a bare interface.

Offensive archetype × hypothesis (expert priors on where to look)

archetypeattack-path hypothesisnext evidence to collect
Network applianceTLS/SSH/web/admin/data-plane parsing may touch a stale crypto stackservice table, admin docs, ports, vendor PSIRT
Software crypto libraryupstream CVEs may reach consuming services (TLS/SSH/API)exact version, consuming services, distro backports
HSM/acceleratorhost/admin/firmware interfaces may expose key operations or update pathSDK/firmware notes, PCIe/USB/admin services
Secure element/SoClow public visibility; high impact if update/debug/key boundary failsdebug interfaces, firmware provenance, update model
OS/kernel cryptocrypto exposed via consumers: IPsec, storage, VPN, TLS offloadenabled consumers, kernel config, distro advisories
Part VI
The evidence and the market
How good the public documents are, and the vendor and lab structure that produces them.

11Machine-readability & extraction confidence

An extraction-friendliness / completeness proxy, not a judgement of security. It measures whether the Security Policy is structured, complete, and machine-readable, a triage signal for a large corpus, not authoring quality per se.

Rubric, composite score (0–100)

0.45 × table-typing cleanliness% of Security-Policy tables parsed into clean, typed rows (SSPs, services, algorithms…)
0.35 × value-fill% of mapped table cells that are non-empty (catches 'typed but blank')
0.20 × section completenessfraction of the standard's required clauses present in the SP's sections
Grades: A ≥ 85 · B ≥ 72 · C ≥ 58 · D ≥ 45 · F < 45

Grade distribution

A61 docs
B58 docs
C15 docs
D1 docs
F1 docs

Mean grade by security level

Level 183.5
Level 279.3
Level 383.8

by type

Firmware71.5
Firmware-hybrid84.7
Hardware82.9
Software83.2
Software-hybrid82.5

12Vendors with multiple certificates

Vendor names are entity-normalized (trademark marks, legal suffixes, and punctuation removed), so “Cisco Systems, Inc.” and “Cisco Systems, Inc” count once: 191 raw name strings collapse to 174 organizations. Parent/subsidiary and rebrand relationships are not resolved.

Palo Alto Networks, Inc.21 certs
Cisco Systems, Inc.19 certs
Juniper Networks, Inc.16 certs
Samsung Electronics Co., Ltd.14 certs
Apple Inc.14 certs
Red Hat(R), Inc.11 certs
SUSE, LLC9 certs
Amazon Web Services, Inc.9 certs
F5, Inc.8 certs
Motorola Solutions, Inc.8 certs
Qualcomm Technologies, Inc.8 certs
Broadcom Inc.7 certs
Google, LLC.6 certs
Oracle Corporation6 certs
IBM Corporation6 certs
Canonical Ltd.6 certs
KIOXIA Corporation5 certs
Thales5 certs
Advanced Micro Devices (AMD)5 certs
Cloudlinux Inc., TuxCare division5 certs
Ruckus Wireless LLC5 certs
Hewlett Packard Enterprise5 certs
NXP Semiconductors, Inc.4 certs
STMicroelectronics4 certs
Nuvoton Technology Corporation4 certs
Ctrl IQ, Inc.4 certs
NetApp, Inc.3 certs
Corsec Security, Inc.3 certs
Rambus Inc.3 certs
SafeLogic Inc.3 certs
Arista Networks, Inc.3 certs
HP Inc.3 certs
IDEMIA3 certs
[email protected]3 certs
DataLocker, Inc.3 certs
Zebra Technologies Corporation2 certs
EF Johnson Technologies2 certs
Marvell Semiconductor, Inc.2 certs
Micron Technology, Inc.2 certs
wolfSSL Inc.2 certs
Legion of the Bouncy Castle Inc.2 certs
Entrust2 certs
Intel Corporation2 certs
Nokia of America Corporation (Nokia)2 certs
DigiCert, Inc.2 certs
Ericsson Enterprise Wireless Solutions, Inc.2 certs
Toshiba Electronic Devices & Storage Corporation2 certs
Cloud Software Group2 certs
Forcepoint2 certs
Keysight Technologies2 certs
SK hynix NAND Product Solutions Corp (d/b/a Solidigm)2 certs
Riverbed Technology, LLC2 certs
AudioCodes Ltd.2 certs
Ciena Corporation2 certs
Cohesity, Inc.2 certs
Pure Storage, Inc.2 certs
Dell Australia Pty Limited, BSAFE Product Team2 certs
Hitachi Vantara, Ltd.2 certs
CTERA Networks Ltd.2 certs
Musarubra US LLC2 certs
HID Global2 certs
Kingston Technology Company, Inc.2 certs
Ribbon Communications, Inc.2 certs
Gigamon Inc.2 certs
Ezurio2 certs
Nokia Corporation2 certs
Persistent Systems, LLC2 certs
Chainguard, Inc.2 certs
ST Engineering Urban Solutions Ltd.2 certs

13Market structure (labs)

16 accredited labs; work is concentrated in a few CSTLs, concentrated delivery capacity and a potential systemic dependency. Where validation delay actually arises cannot be established from issued certificates alone (see the caveat in §14).

atsec information security corporation102 validations
Acumen Security59 validations
Leidos Accredited Testing & Evaluation (AT&E) Lab52 validations
Lightship Security, Inc.44 validations
Gossamer Security Solutions36 validations
UL Verification Services, Inc.29 validations
DEKRA Cybersecurity Certification Laboratory27 validations
Teron Labs26 validations
AEGISOLVE, Inc.12 validations
Penumbra Security, Inc.11 validations

14Where FIPS time accumulates

This corpus cannot explain why validations take so long. It is survivorship-biased (only modules that succeeded; abandoned/failed/stuck submissions are absent) and carries no pipeline-timing data (no IUT / Cost-Recovery / Pending-Review durations, no comment cycles). So the below are candidate predictors / hypotheses of review burden, not measured time drivers. A true root-cause model needs longitudinal MIP/IUT snapshots.

flowchart LR
  A["Vendor product / module design"] --> B["Boundary, services, SSPs, OE defined"]
  B --> C["Security Policy + evidence package"]
  C --> D["CSTL testing / pre-validation"]
  D --> E["Implementation Under Test"]
  E --> F["Cost Recovery / admin queue"]
  F --> G["Pending CMVP Review"]
  G --> H["CMVP Review"]
  H -->|comments| I["Comment resolution loop"]
  I -->|vendor + CSTL response| H
  H -->|accepted| J["Finalization"]
  J --> K["Certificate issued + SP posted"]
  K --> L["Patch / version / dependency / CVE event"]
  L --> M{"Change inside crypto boundary?"}
  M -->|No / outside| Nn["May not require update if assumptions unchanged"]
  M -->|Yes / unclear| O["Update / revalidation path"]
  O --> C
  classDef queue fill:#fff7e6,stroke:#d6a642;
  classDef rework fill:#fbe9e9,stroke:#c25b5b;
  class E,F,G,H,J queue;
  class I,O rework;

A timing model (where time can accumulate + rework loops), NOT a complete CMVP rule model.

Complexity by archetype (review-burden proxies)

archetypenmedian algosmedian servicesmedian SSPsmedian interfaces
Software crypto library21744
Other6612.5
Secure element/SoC4311
Network appliance2825.0
OS/kernel crypto2422.0
Cloud/virtual appliance1730
HSM/accelerator1057.0
Storage/data-at-rest911
Firmware/boot12

Not determinable from this corpus (needs MIP/IUT snapshots + status-transition history):

Two modes: this bundle supports assurance-gap mode (what does public evidence prove, where is it stale) well; it only seeds validation-throughput mode (where is a submission stuck, who owns the action), pipeline-state and rework numbers are omitted because they would be fabricated without the longitudinal data.

Appendix
Method & provenance
How the corpus was built, and what it deliberately does not claim.

Method, reproduction & caveats

Pipeline (deterministic given the swept cert range + cached NVD responses): build_corpus.py (fetch cert page + Security Policy PDF → per-module JSON) → build_drift.py (NVD CVE API v2, CPE virtualMatchString, CVEs in each named component since validation date) → build_version_exact.py (CVEs whose affected-range includes the certified version, published ≥ validation date, Rejected/Disputed excluded) → analyze_corpus.py → this report / findings / explorer. All corpus figures come from corpus_analysis.json; external inputs (volume-by-year, industry timeline) are labelled inline as provided, not corpus-derived.