Executive finding. A FIPS certificate and its Security Policy are a structured, corpus-wide security record, and this report reads them for what they reliably deliver: a map of the trusted-computing-base surfaces around each module (§6), a measure of how far its named components have drifted since validation (§5), and a ranked view of where a review should look first (§9). A certificate attests one module version, in one approved-mode configuration, at one moment, so it is best read as a map of what to verify in a deployment, which is exactly what makes these artifacts a fast way to aim that verification.
Terminology. Throughout, “certificate” / “validation” / “update” refer to the CMVP FIPS 140-3 validation certificate and its validation-history events, not an X.509/TLS certificate.
Corpus composition. The corpus is a near-census of the 415 FIPS 140-3 modules validated in cert window #4650–#5159. Lifecycle, archetype, algorithm and component-drift findings use all 415. The Security-Policy-structure findings, TCB surfaces (§6), review-priority (§9, §10) and document quality (§11), require the full pdfplumber SP extraction and are computed over the 136 modules that carry it; the rest are metadata-and-text records fetched from CMVP.
0Corpus confidence
| reference date | 2026-07 |
| range swept | cert #4650–#5159 (near-census of FIPS 140-3 in this window) |
| 140-3 modules | 415 (span #4650–#5159) |
| status | {'Active': 382, 'Historical': 33} |
| with validation dates | 414/415 |
| with dated SP revision tables | 3/415 (dev-span directional) |
| dedup rule | one record per certificate number; cross-cert rebrand/re-validation chains NOT yet merged |
The decision model, what actually backs deployed FIPS?
The whole analysis is the evidence layer for one reviewer decision: from “product claims FIPS” down to “is the deployed crypto function the same validated version, in approved mode?”, and on any mismatch, “was it a patch inside or outside the module boundary?” (the security-vs-compliance fork). Corpus data populates the branches below.
flowchart TD A["Product claims FIPS 140 support"] --> B["CMVP certificate for the module?"] B -->|No| Z["No public FIPS validation evidence"] B -->|Yes| C["Certificate status / assurance type?"] C -->|Active full validation| D["Check deployed module identity"] C -->|Interim validation| C1["Interim CMVP assurance
2-yr window, reduced review depth"] C -->|Historical / revoked| C2["Exists, but not current active assurance"] C1 --> D C2 --> D D --> E["Deployed version = certificate version?"] E -->|Yes| F["Check operational environment"] E -->|No / unknown| G["Certified-state drift"] F --> H["Deployed OE = listed / allowed OE?"] H -->|Yes| I["Check approved mode"] H -->|Porting rules used| H1["Vendor/User affirmation
limited assurance"] H -->|No / unknown| G H1 --> I I --> J["Operated per Security Policy?"] J -->|Yes| K["Check services / algorithms"] J -->|No / unknown| G K --> L["Only approved services / algorithms?"] L -->|Yes| M["Strongest deployed FIPS evidence"] L -->|No / unknown| N["Validated module, use outside approved mode"] G --> O["Caused by a patch/update?"] O -->|Outside crypto boundary| P1["May preserve validation if boundary/OE unchanged"] O -->|Inside crypto boundary| Q["Security/compliance fork:
patched but not validated until cert update"] O -->|Unknown| R["Opacity gap: need vendor evidence"]
Corpus populates the branches: status/assurance, Full 200 · Interim 146 · other 69; ever updated, 22% (so most are frozen at the “version = certified?” branch); drift, measured in §5 (OpenSSL providers ~39–40 upstream CVEs since cert); the patch-boundary fork and OE/mode branches need per-module Security-Policy + vendor evidence (the opacity gap a data layer surfaces).
1Lifecycle & certificate window
CMVP certificate active window (n=381)
60 months
median (mean 51). The active window is how long CMVP lists a certificate as valid, from initial validation to sunset (its removal from the active list). It is the module's certification lifetime, not an X.509 certificate's validity period, and it measures the certified state's shelf life, not vulnerability exposure (see §9).
Development→certificate (directional, n=3)
~32 mo
where the SP ships a dated revision table (small sample, anecdote, not a corpus statistic). Consistent with a published external industry estimate (~19 mo post-submission / ~24–36 mo end-to-end; provided, not corpus-derived).
Volume context (external input, provided, not corpus-derived): active 140-3 certs by year run 2022:6 · 2023:6 · 2024:176 · 2025:163 · 2026-YTD:265, a transition-driven surge (~500/yr). The population skews to very recent certificates, so the freeze/exposure patterns are structural and will bite as the 2024–26 cohort ages inside its window without updates.
Assurance type, certificates differ in what backs them
2CMVP re-validation cadence
How often a certificate carries an Update entry (any kind, security, version, OE, administrative, or rebrand; we do not yet classify the type). If a certificate is never updated, public CMVP evidence does not show that later product fixes, firmware updates, or dependency changes are part of the validated configuration.
Updates per module
Cadence
Certificate families and successors (the “never updated” caveat)
A per-certificate “never updated” can understate maintenance: a vendor often validates a successor under a new certificate number instead of updating the old one. Clustering the 415 certificates into 360 product families (normalized vendor + de-noised module name; 44 span more than one certificate) shows 43 of the 324 never-updated modules (13%) have a later-validated family-mate, a likely successor rather than an abandoned certificate. It is a conservative, deterministic lower bound (no NIST “replaced-by” data), so the true successor share is at least this; the rest is the genuinely-frozen population.
| largest product families | certificates |
|---|---|
| Cisco Adaptive Security Appliance Cryptographic Module (FPR 1000 Series)… | #4966, #5066, #5067, #5069 |
| Cisco Secure Firewall Threat Defense Cryptographic Module (FPR 1000 Series)… | #4979, #5035, #5070, #5071 |
| Apple corecrypto Module v12.0 [Apple silicon, Kernel, Software, SL1] / Apple… | #4854, #5050, #5101 |
| Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] / Apple… | #4817, #5065, #5108 |
| BoringCrypto | #4735, #4953, #5104 |
| Nuvoton Cryptographic Library 2.0 / Nuvoton Cryptographic Library 2.3… | #4954, #5008, #5098 |
3Cryptographic posture, specific algorithms
1949 distinct normalized approved-algorithm labels (operation-level, e.g. “RSA SigVer”, “ECDSA KeyGen”, not distinct primitives); median 27 per module. Presence ≠ insecure use, legacy primitives are often retained for verify-only/legacy paths, and AES-ECB is a building block; the signal is breadth of the approved surface.
Most common algorithms
Legacy present (% of modules)
Modern present (%)
4Post-quantum readiness
10/415 (2%) list any PQC algorithm, but composition matters: it is almost entirely stateful hash-based signatures (LMS/HSS, SP 800-208) for firmware signing. Adoption of the new lattice standards ML-KEM/ML-DSA (FIPS 203/204) and SLH-DSA (FIPS 205) is effectively zero (lattice module(s): [], under the pre-standard 'Kyber' name).
PQC by NIST family (% of modules)
Specific PQC algorithms
5Component identification & drift
Components are identified generically, a full-record scan (module name + software/firmware versions + SP body/tables) against an extensible, CPE-mapped catalog (generic whole-record scanning rather than certificate-specific rules). Strong = the module names/ships it (name/version field); a CPE enables the NVD drift join below.
Naming the actual code is the highest-resolution view of a module's trust boundary the public record offers, and the sparsest: it exists only where a component is named. It is the component-level counterpart to the surface-level TCB view in §6, which stays visible for the many modules that name nothing. Where this section goes dark, §6 still sees the surface.
Named components (strong, 89 modules)
Beyond crypto libraries
Because identification is generic, the scan also names bootloaders, firmware, and OS-kernel components that a crypto-library shortlist would miss:
U-Boot (#4700, #4703, #4745); Linux kernel (#4726, #4727, #4739, #4744, #4750, #4764, #4776, #4796, #4804, #4808, #4815, #4863, #4865, #4894, #5034, #5036, #5086, #5089, #5094, #5095, #5097, #5112, #5113); strongSwan (#4911)
One of these, U-Boot inside HSMs, is consequential enough for its own spotlight below.
The boot chain is a first-class security property
For a hardware crypto module the boot chain is the root of trust: if secure-boot or firmware-signature verification can be bypassed, the whole validated crypto boundary can be swapped out underneath the certificate. So the corpus treats boot integrity as a population, not an anecdote, keyed to archetype rather than to whether one component happened to be named. Across the archetypes where it is a core property, 27 of the 32 hardware modules (HSM, secure element, network appliance) expose a boot-integrity, firmware-update, or firmware-trust-anchor surface.
Boot-related surface, by archetype
By TCB surface (§6)
A module can match more than one; these are architectural patterns where the bug class matters, not vulnerabilities.
The bootloaders the corpus can name
Identifying the surface is generic; naming the component is the ceiling. Only where a module names a CPE-mappable bootloader can the corpus move from “has a boot chain” to “check this CVE.” Today that is 3 modules, all shipping U-Boot inside the boundary, the exact surface Binarly's U-Boot FIT signature-verification bypass (CVE-2026-46728, U-Boot < 2026.04) targets:
| cert | module | component | version as listed | validated | upstream CVEs since initial validation |
|---|---|---|---|---|---|
| #4700 | NITROXIII CNN35XX-NFBE HSM Family | U-Boot | 4.03 | 2024-05 | 10 |
| #4703 | Marvell LS2 HSM Family | U-Boot | 10.01 | 2024-06 | 10 |
| #4745 | nShield 5s Hardware Security Module | U-Boot | 1.1.0 | 2024-07 | 10 |
How to use this. Make boot-chain review standard for any hardware crypto module: the corpus reliably flags the whole population that carries the surface. Where the bootloader is named, rebase its version against CVE-2026-46728; where it is not, the flagged surface is the prompt to ask the vendor for the actual boot-loader lineage. Either way the output is a concrete next step.
Component drift, the certified-state freeze, measured
For modules that wrap a well-known upstream (OpenSSL, GnuTLS, libgcrypt, Linux kernel, NSS), this counts CVEs disclosed in that upstream component (CPE-matched in NVD) since the module's initial validation date. It measures how far the upstream has moved past the certified snapshot.
Coverage is component-shaped, and mostly crypto libraries. A drift signal is only possible where a module both names a component and that component maps to an NVD CPE. That holds for 85 of 415 modules (OpenSSL 36, Linux kernel 23, GnuTLS 7, libgcrypt 7, NSS 6, U-Boot 3, wolfSSL 2, strongSwan 1). The other 330, disproportionately the hardware, firmware, and appliance modules, name no CPE-mappable component, so they get no component-level drift signal at all. That blank is a prompt: for the hardware, firmware, and appliance modules where boot and firmware integrity matter most (the spotlight above), the component is simply unnamed at this resolution, so §6 reads them at surface resolution instead, where they stay legible.
Read carefully, this is a drift/pressure indicator, NOT a vulnerability count for the module. The certified version may or may not be affected by any given CVE, and distros routinely back-port fixes without re-validating. For the Linux kernel the count spans the whole kernel, most of it outside the crypto subsystem. The number answers 'how much has the named upstream churned since this certificate froze', which is the question a reviewer should then run down.
Crypto-library modules, by upstream CVE drift since validation
| cert | module | upstream | validated | updates | upstream CVEs since initial validation |
|---|---|---|---|---|---|
| #4718 | wolfCrypt | wolfSSL | 2024-07 | 2 | 86 |
| #5041 | wolfCrypt | wolfSSL | 2025-07 | 0 | 79 |
| #4724 | KeyPair FIPS Provider for OpenSSL 3 | OpenSSL | 2024-07 | 2 | 40 |
| #4725 | SUSE Linux Enterprise OpenSSL Cryptographic Module | OpenSSL | 2024-07 | 1 | 40 |
| #4729 | Linux OpenSSL FIPS Provider | OpenSSL | 2024-07 | 0 | 40 |
| #4746 | Red Hat Enterprise Linux 9 OpenSSL FIPS Provider | OpenSSL | 2024-07 | 0 | 40 |
| #4775 | Junos® OS Evolved OpenSSL Cryptographic Module | OpenSSL | 2024-09 | 0 | 40 |
| #4779 | Oracle Linux 9 OpenSSL FIPS Provider | OpenSSL | 2024-08 | 1 | 40 |
| #4794 | Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module | OpenSSL | 2024-09 | 0 | 40 |
| #4823 | OpenSSL FIPS Provider for AlmaLinux 9 | OpenSSL | 2024-10 | 0 | 39 |
| #4857 | Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider | OpenSSL | 2024-10 | 1 | 39 |
| #4876 | Hewlett Packard Enterprise OpenSSL 3 Provider | OpenSSL | 2024-11 | 2 | 39 |
| #4885 | ZPE Systems FIPS Provider for OpenSSL 3 | OpenSSL | 2024-11 | 0 | 39 |
| #4886 | Gallagher FIPS Provider for OpenSSL 3 | OpenSSL | 2024-11 | 1 | 39 |
| #4888 | Keysight OpenSSL 3 FIPS Provider for Network Visibility | OpenSSL | 2024-11 | 2 | 39 |
| #4889 | AIX FIPS Crypto Provider for OpenSSL 3 | OpenSSL | 2024-11 | 2 | 39 |
| #4923 | HID/Mercury FIPS Provider for OpenSSL 3 | OpenSSL | 2024-12 | 1 | 39 |
| #4926 | Tanium FIPS OpenSSL 3.0 Module | OpenSSL | 2024-12 | 0 | 39 |
| #4929 | Aruba OpenSSL Module | OpenSSL | 2024-12 | 0 | 39 |
| #4981 | Covidence FIPS Provider for OpenSSL 3 | OpenSSL | 2025-03 | 1 | 39 |
| #4985 | OpenSSL FIPS Provider | OpenSSL | 2025-03 | 1 | 39 |
| #5021 | Amazon Linux 2023 OpenSSL FIPS Provider | OpenSSL | 2025-05 | 0 | 39 |
| #5023 | OpenSSL Cryptographic Module | OpenSSL | 2025-06 | 0 | 39 |
| #5073 | ICU Medical FIPS Module for OpenSSL 3 | OpenSSL | 2025-09 | 2 | 38 |
| #5096 | SUSE Linux Enterprise OpenSSL 3 Cryptographic Module | OpenSSL | 2025-11 | 1 | 38 |
| #5102 | Chainguard FIPS Provider for OpenSSL | OpenSSL | 2025-12 | 0 | 38 |
| #5115 | Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic Module | OpenSSL | 2026-01 | 0 | 38 |
| #5116 | Rocky Linux 9 OpenSSL FIPS Provider | OpenSSL | 2026-01 | 0 | 38 |
| #5132 | Chainguard FIPS Provider for OpenSSL | OpenSSL | 2026-01 | 0 | 38 |
| #5145 | PreVeil Cryptographic Module based on the OpenSSL FIPS Provider | OpenSSL | 2026-01 | 0 | 38 |
| #5147 | VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider | OpenSSL | 2026-01 | 0 | 38 |
| #5149 | Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider | OpenSSL | 2026-01 | 0 | 38 |
| #5154 | NetApp Cryptographic Security Module (NCSM) based on the OpenSSL FIPS Provider | OpenSSL | 2026-02 | 0 | 38 |
| #5155 | Juniper FIPS Provider based on the OpenSSL FIPS Provider | OpenSSL | 2026-02 | 0 | 38 |
| #5156 | Veeam Cryptographic Module based on the OpenSSL FIPS Provider | OpenSSL | 2026-02 | 0 | 38 |
| #5157 | Digi DAL OS based on the OpenSSL FIPS Provider | OpenSSL | 2026-02 | 1 | 38 |
| #5158 | Dell FIPS Module based on the OpenSSL FIPS Provider | OpenSSL | 2026-02 | 0 | 38 |
| #5159 | BigFix Encryption Module based on the OpenSSL FIPS Provider | OpenSSL | 2026-02 | 0 | 38 |
| #4742 | SUSE Linux Enterprise GnuTLS Cryptographic Module | GnuTLS | 2024-07 | 0 | 9 |
| #4780 | Red Hat Enterprise Linux 9 gnutls | GnuTLS | 2024-08 | 0 | 9 |
| #4846 | Red Hat Enterprise Linux 9 gnutls | GnuTLS | 2024-10 | 1 | 9 |
| #4855 | Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module | GnuTLS | 2024-10 | 0 | 9 |
| #5015 | Amazon Linux 2023 GnuTLS Cryptographic Module | GnuTLS | 2025-05 | 0 | 9 |
| #5037 | Oracle Linux 9 GnuTLS Cryptographic Module | GnuTLS | 2025-07 | 1 | 9 |
| #5049 | GnuTLS cryptography module for AlmaLinux 9 | GnuTLS | 2025-07 | 0 | 9 |
| #4722 | SUSE Linux Enterprise Libgcrypt Cryptographic Module | libgcrypt | 2024-07 | 0 | 2 |
| #4754 | Red Hat Enterprise Linux 9 libgcrypt | libgcrypt | 2024-08 | 0 | 2 |
| #4793 | Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module | libgcrypt | 2024-09 | 0 | 2 |
| #4971 | Amazon Linux 2023 Libgcrypt Cryptographic Module | libgcrypt | 2025-02 | 0 | 2 |
| #4993 | Oracle Linux 9 libgcrypt Cryptographic Module | libgcrypt | 2025-03 | 2 | 2 |
| #5060 | Libgcrypt cryptography module for AlmaLinux 9 | libgcrypt | 2025-09 | 2 | 2 |
| #5117 | Rocky Linux 8 and 9 libgcrypt Cryptographic Module | libgcrypt | 2026-01 | 0 | 2 |
| #4728 | SUSE Linux Enterprise NSS Cryptographic Module | NSS | 2024-07 | 0 | 0 |
| #4774 | Red Hat Enterprise Linux 9 NSS Cryptographic Module | NSS | 2024-08 | 0 | 0 |
| #4801 | Oracle Linux 9 NSS Cryptographic Module | NSS | 2024-09 | 0 | 0 |
| #4911 | Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module | strongSwan | 2024-12 | 0 | 0 |
| #5014 | Amazon Linux 2023 NSS Cryptographic Module | NSS | 2025-05 | 1 | 0 |
| #5022 | Red Hat Enterprise Linux 9 NSS Cryptographic Module | NSS | 2025-05 | 0 | 0 |
| #5031 | NSS cryptography module for AlmaLinux 9 | NSS | 2025-06 | 0 | 0 |
Source: NVD CVE API v2 (CPE virtualMatchString), quarterly counts, as of 2026-07.
Linux-kernel modules (23): upstream CVE counts since cert range 3932–10212, but that is whole-kernel volume, the vast majority outside the crypto subsystem, so it overstates crypto-relevant drift and is kept separate from the table above.
Version-exact CVEs, drift narrowed to the certified version
Drift counts the whole component, incl. newer branches the module doesn't run. Intersecting the certified version with each CVE's NVD affected-range gives the defensible count:
| cert | component | certified ver | drift | version-exact | e.g. |
|---|---|---|---|---|---|
| #4775 | OpenSSL | 3.0.8 | 40 | 25 | CVE-2024-6119, CVE-2025-15467 |
| #4823 | OpenSSL | 3.0.7 | 39 | 24 | CVE-2025-15467, CVE-2025-68160 |
| #4754 | libgcrypt | 1.10.0 | 2 | 1 | CVE-2026-41989 |
| #4793 | libgcrypt | 1.9.4 | 2 | 1 | CVE-2026-41989 |
~24–25 of the ~39–40 OpenSSL drift CVEs affect the exact certified 3.0.x version (≈62%). Method: NVD v2 virtualMatchString=cpe:…:<version>; counted where published ≥ validation date; Rejected/Disputed excluded. Upper-bound caveat: distros back-port fixes without bumping the version string, and this is CVE disclosure, not a vuln or FIPS-boundary claim. Version captured for 4 of 19 component modules (rest have empty softwareVersions, coverage gap).
6TCB surfaces visible in public FIPS artifacts
FIPS validation certifies a defined cryptographic-module boundary; the security of that boundary usually depends on the surrounding trusted computing base (TCB): the boot chain, firmware-update path, debug/recovery controls, host/OE dependencies, network-management services, and secure-element/HSM trust anchors. A Security Policy is not an SBOM, but it is often enough to sketch the core TCB surfaces around the module, which is a more useful thing to ask of it than deployment proof.
What “TCB surface” means here. Public evidence of the mechanisms that decide whether the validated cryptographic boundary stays the code and configuration users rely on: the boot chain, firmware-update path, debug/recovery controls, host/OE dependencies, and trust anchors. Each surface below is an architectural pattern (a motif) matched from public signals, so a match locates the surface where that bug class would matter, pointing a review straight to where to look.
TCB-surface frequency
| TCB-adjacent surface | n | corpus signal | why it matters | what to confirm next |
|---|---|---|---|---|
| boot-chain verification | 9 | secure/verified boot, ROM, bootloader (U-Boot), FIT image | Runs before the crypto boundary; can replace or subvert validated code at the earliest root of trust. | exact bootloader version, whether the affected path is built in, exploitability. |
| firmware-update authentication | 20 | firmware update, signed image, LMS/HSS, anti-rollback | Governs whether patched or swapped code can enter the boundary, and whether it can be rolled back. | whether the implementation is vulnerable. |
| debug/recovery interface | 25 | JTAG, UART, SPI, I²C, USB/DFU, recovery mode | A local path that can bypass normal runtime controls and reach keys or state directly. | whether it is enabled in production. |
| kernel crypto consumer | 9 | Linux kernel, OS/kernel crypto, IPsec / dm-crypt / TLS offload | The host / operational environment mediates access to the module's keys and services. | which subsystem is actually enabled/exposed. |
| network crypto parser/protocol | 24 | TLS / SSH / IKE via OpenSSL, GnuTLS, mbedTLS, wolfSSL | The likely path where untrusted parsers and authentication controls meet the crypto. | whether the vulnerable path is reachable pre-auth. |
| HSM/SE firmware trust anchor | 20 | HSM, secure element / SoC, sub-chip, firmware versions | High-impact root of key custody; the device's whole trust chain hinges on its firmware lineage. | firmware lineage, patchability, production config. |
Every row reads the same way: the corpus locates the surface, external research supplies the bug class. The boot-chain row is worked through in the §5 spotlight (three HSMs naming U-Boot, mapped to Binarly's CVE-2026-46728); the others are the questions a reviewer should raise for a module of that shape.
Bottom line: public FIPS artifacts are genuinely useful TCB-surface evidence. They reveal where boot, firmware-update, debug/recovery, host/OE, network-service, and component-version questions should be asked, turning a certificate into a map of what to verify. Where a component is unnamed (§5), that map still marks the spot to check.
7What the devices expose
Exposed interfaces
Algorithm families
Security level
Type / embodiment
8Device classification
Coarse taxonomy from name + vendor + type + embodiment. The classes behave very differently, chips are frozen silicon (rarely re-validated), HSMs are actively maintained (100% re-validated), network appliances are well-documented but re-validate less, and software carries the broadest crypto surface.
| class | n | doc grade | exposure window | re-validated | PQC | median algos |
|---|---|---|---|---|---|---|
| Software / Library | 230 | 27.5 | 56.0 mo | 27% | 4% | 44.0 |
| Other Hardware | 86 | 19.6 | 60 mo | 20% | 0% | 9.0 |
| Chip / Secure Element | 52 | 29.5 | 60 mo | 2% | 0% | 11.0 |
| Network Appliance | 28 | 37.5 | 60.0 mo | 11% | 0% | 25.0 |
| HSM | 10 | 36.4 | 60 mo | 70% | 0% | 57.0 |
| Firmware | 9 | 29.1 | 42.0 mo | 11% | 0% | 32 |
9Risk-triage lens
An active module whose last validation is old and which exposes a remote/networked interface is where an unpatched CVE would matter, its certified state predates the fix and no re-validation has pulled the fix in. This is the internal signal to correlate against external CVE/advisory timelines (NVD, vendor PSIRTs).
Stale + network-relevant modules (triage queue)
| cert | module | since last val. | interfaces | ever updated? |
|---|---|---|---|---|
| #4733 | Device Cryptographic Module | 24 mo | Network/Ethernet | never |
| #4742 | SUSE Linux Enterprise GnuTLS Cryptograph | 24 mo | Network/Ethernet | never |
| #4751 | Nokia 1830 Photonic Service Switch (PSS) | 23 mo | Network/Ethernet, Serial/UART, USB | never |
| #4832 | Ruckus FastIron ICX ™ 7450 Series Switch | 21 mo | Console, Network/Ethernet | never |
| #4835 | Forcepoint NGFW Cryptographic Kernel Mod | 21 mo | Console | never |
| #4850 | Quantum Xchange Phio TX | 21 mo | Console, Network/Ethernet, Serial/UART, USB | never |
| #4907 | Mediant 800 Session Border Controller/Me | 19 mo | Network/Ethernet, Serial/UART, USB | never |
| #4916 | AP-514, AP-515, AP-534, AP-535, AP-584, | 19 mo | Network/Ethernet, Wireless | never |
10Operational archetypes & review-priority
Embodiment (hw/sw/fw) is too coarse for risk. Operational archetype captures the attack path and lets reachability be weighted by class, a network interface on a software library is host-mediated (the app listens, not the module), on a network appliance it is the management/data plane. Review priority = Likelihood + Impact as ordinal ranks (a rank sum, not a product) banded into tiers, explicit rules, no weighted coefficients; measured upstream CVE drift weighs most (real evidence, not heuristic). The tiers are review-order candidates, not vulnerability severities.
Archetype mix
Review-priority distribution
Impact is a documented expert prior per archetype; Likelihood = archetype-weighted reachability + never-updated + ≥18mo stale + upstream CVE drift.
Update behavior by archetype (which classes get patched, which stay frozen)
| archetype | modules | never updated | median months since last validation |
|---|---|---|---|
| Secure element/SoC | 43 | 98% | 16 mo |
| Network appliance | 28 | 89% | 16.5 mo |
| OS/kernel crypto | 24 | 88% | 16 mo |
| Cloud/virtual appliance | 17 | 88% | 18 mo |
| Other | 66 | 80% | 18 mo |
| Software crypto library | 217 | 74% | 14 mo |
| Storage/data-at-rest | 9 | 56% | 13 mo |
| HSM/accelerator | 10 | 30% | 13.5 mo |
| Firmware/boot | 1 | 0% | 3 mo |
The classes that are hardest to reship are the ones that go unpatched. Secure elements and SoCs, where the cryptography is baked into silicon and a change means a new part, are the least maintained (98% show no CMVP update). HSM/accelerator modules are the best maintained (30% never updated, n=10), consistent with serviceable devices carrying an ongoing vendor maintenance relationship, though that count is still small. Two confounders keep this a heuristic, not a law: many software libraries ship a new certificate per release rather than an update entry on the old one, so their no-update share overstates how frozen any given deployment is; and a missing update entry is a maintenance-friction proxy, not proof a module is insecure. Read it alongside the median-staleness column, which shows how long each class's certified state has actually stood.
Highest-priority review candidates (ranked, start here)
| priority | cert | archetype | why | evidence confidence |
|---|---|---|---|---|
| Critical | #4712 | Cloud/virtual appliance | Cloud/virtual appliance; names service https/ike/ipsec (service-path signal high, deployment reachability likely); no CMVP validation update; 25mo stale | svc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a |
| Critical | #4751 | Network appliance | Network appliance; names service snmp/ssh/tls (service-path signal high, deployment reachability likely); no CMVP validation update; 23mo stale | svc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a |
| Critical | #4832 | Network appliance | Network appliance; names service admin/ike/ipsec (service-path signal high, deployment reachability likely); no CMVP validation update; 21mo stale | svc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a |
| Critical | #4907 | Network appliance | Network appliance; names service ssh/syslog/tls (service-path signal high, deployment reachability likely); no CMVP validation update; 19mo stale | svc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a |
| Critical | #4916 | Network appliance | Network appliance; names service ike/ipsec (service-path signal high, deployment reachability likely); no CMVP validation update; 19mo stale | svc-path:high · deploy-reach:likely · ver-CVE:n/a · drift:n/a |
| High | #5021 | Software crypto library | Software crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 39 CVEs in named component/version since cert | svc-path:high · deploy-reach:unknown · ver-CVE:medium · drift:high |
| High | #5132 | Software crypto library | Software crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 38 CVEs in named component/version since cert | svc-path:high · deploy-reach:unknown · ver-CVE:medium · drift:high |
| High | #4775 | Software crypto library | Software crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 22mo stale; 25 CVEs in named component/version since cert | svc-path:high · deploy-reach:unknown · ver-CVE:high · drift:high |
| High | #4823 | Software crypto library | Software crypto library; names service ssh/tls (service-path signal high, deployment reachability unknown); no CMVP validation update; 21mo stale; 24 CVEs in named component/version since cert | svc-path:high · deploy-reach:unknown · ver-CVE:high · drift:high |
| High | #4650 | Secure element/SoC | Secure element/SoC; reach=low (deployment reachability unknown); no CMVP validation update; 32mo stale | svc-path:low · deploy-reach:unknown · ver-CVE:n/a · drift:n/a |
| High | #4727 | OS/kernel crypto | OS/kernel crypto; reach=low (deployment reachability unknown); no CMVP validation update; 24mo stale | svc-path:low · deploy-reach:unknown · ver-CVE:medium · drift:n/a |
| High | #4748 | Secure element/SoC | Secure element/SoC; reach=low (deployment reachability unknown); no CMVP validation update; 23mo stale | svc-path:low · deploy-reach:unknown · ver-CVE:n/a · drift:n/a |
| High | #4772 | Secure element/SoC | Secure element/SoC; reach=low (deployment reachability unknown); no CMVP validation update; 23mo stale | svc-path:low · deploy-reach:unknown · ver-CVE:n/a · drift:n/a |
| High | #4796 | OS/kernel crypto | OS/kernel crypto; reach=low (deployment reachability unknown); no CMVP validation update; 22mo stale | svc-path:low · deploy-reach:unknown · ver-CVE:medium · drift:n/a |
Critical = network-appliance archetypes naming a reachable service (TLS/SSH/IPsec/admin), no cert update, stale, attack-path candidates requiring confirmation. High = OpenSSL providers that consume TLS/SSH with measured CVE drift, plus long-stale secure elements/kernels. 'reach' confidence is high only when a consuming network service is named, medium for a bare interface.
Offensive archetype × hypothesis (expert priors on where to look)
| archetype | attack-path hypothesis | next evidence to collect |
|---|---|---|
| Network appliance | TLS/SSH/web/admin/data-plane parsing may touch a stale crypto stack | service table, admin docs, ports, vendor PSIRT |
| Software crypto library | upstream CVEs may reach consuming services (TLS/SSH/API) | exact version, consuming services, distro backports |
| HSM/accelerator | host/admin/firmware interfaces may expose key operations or update path | SDK/firmware notes, PCIe/USB/admin services |
| Secure element/SoC | low public visibility; high impact if update/debug/key boundary fails | debug interfaces, firmware provenance, update model |
| OS/kernel crypto | crypto exposed via consumers: IPsec, storage, VPN, TLS offload | enabled consumers, kernel config, distro advisories |
11Machine-readability & extraction confidence
An extraction-friendliness / completeness proxy, not a judgement of security. It measures whether the Security Policy is structured, complete, and machine-readable, a triage signal for a large corpus, not authoring quality per se.
Rubric, composite score (0–100)
| 0.45 × table-typing cleanliness | % of Security-Policy tables parsed into clean, typed rows (SSPs, services, algorithms…) |
| 0.35 × value-fill | % of mapped table cells that are non-empty (catches 'typed but blank') |
| 0.20 × section completeness | fraction of the standard's required clauses present in the SP's sections |
| Grades: A ≥ 85 · B ≥ 72 · C ≥ 58 · D ≥ 45 · F < 45 | |
Grade distribution
Mean grade by security level
by type
12Vendors with multiple certificates
Vendor names are entity-normalized (trademark marks, legal suffixes, and punctuation removed), so “Cisco Systems, Inc.” and “Cisco Systems, Inc” count once: 191 raw name strings collapse to 174 organizations. Parent/subsidiary and rebrand relationships are not resolved.
13Market structure (labs)
16 accredited labs; work is concentrated in a few CSTLs, concentrated delivery capacity and a potential systemic dependency. Where validation delay actually arises cannot be established from issued certificates alone (see the caveat in §14).
14Where FIPS time accumulates
This corpus cannot explain why validations take so long. It is survivorship-biased (only modules that succeeded; abandoned/failed/stuck submissions are absent) and carries no pipeline-timing data (no IUT / Cost-Recovery / Pending-Review durations, no comment cycles). So the below are candidate predictors / hypotheses of review burden, not measured time drivers. A true root-cause model needs longitudinal MIP/IUT snapshots.
flowchart LR
A["Vendor product / module design"] --> B["Boundary, services, SSPs, OE defined"]
B --> C["Security Policy + evidence package"]
C --> D["CSTL testing / pre-validation"]
D --> E["Implementation Under Test"]
E --> F["Cost Recovery / admin queue"]
F --> G["Pending CMVP Review"]
G --> H["CMVP Review"]
H -->|comments| I["Comment resolution loop"]
I -->|vendor + CSTL response| H
H -->|accepted| J["Finalization"]
J --> K["Certificate issued + SP posted"]
K --> L["Patch / version / dependency / CVE event"]
L --> M{"Change inside crypto boundary?"}
M -->|No / outside| Nn["May not require update if assumptions unchanged"]
M -->|Yes / unclear| O["Update / revalidation path"]
O --> C
classDef queue fill:#fff7e6,stroke:#d6a642;
classDef rework fill:#fbe9e9,stroke:#c25b5b;
class E,F,G,H,J queue;
class I,O rework;
A timing model (where time can accumulate + rework loops), NOT a complete CMVP rule model.
Complexity by archetype (review-burden proxies)
| archetype | n | median algos | median services | median SSPs | median interfaces |
|---|---|---|---|---|---|
| Software crypto library | 217 | 44 | – | – | – |
| Other | 66 | 12.5 | – | – | – |
| Secure element/SoC | 43 | 11 | – | – | – |
| Network appliance | 28 | 25.0 | – | – | – |
| OS/kernel crypto | 24 | 22.0 | – | – | – |
| Cloud/virtual appliance | 17 | 30 | – | – | – |
| HSM/accelerator | 10 | 57.0 | – | – | – |
| Storage/data-at-rest | 9 | 11 | – | – | – |
| Firmware/boot | 1 | 2 | – | – | – |
Not determinable from this corpus (needs MIP/IUT snapshots + status-transition history):
- days in IUT / lab pipeline
- days in Cost Recovery
- days in Pending Review
- number of CMVP comment cycles
- which party (vendor/lab/CMVP) drove a delay
- which evidence class (entropy/algorithm/physical/SSP/OE/SP-quality) caused rework
- how long abandoned or still-pending modules have waited (not in a validated-cert corpus at all)
Method, reproduction & caveats
Pipeline (deterministic given the swept cert range + cached NVD responses): build_corpus.py (fetch cert page + Security Policy PDF → per-module JSON) → build_drift.py (NVD CVE API v2, CPE virtualMatchString, CVEs in each named component since validation date) → build_version_exact.py (CVEs whose affected-range includes the certified version, published ≥ validation date, Rejected/Disputed excluded) → analyze_corpus.py → this report / findings / explorer. All corpus figures come from corpus_analysis.json; external inputs (volume-by-year, industry timeline) are labelled inline as provided, not corpus-derived.
- Corpus is a swept sample of the recent CMVP certificate-number range, filtered to FIPS 140-3, not the full population.
- Validation-history timing (windows, cadence, staleness) has ~100% coverage; SP-revision development-span only where the SP ships a dated revision table (a minority).
- Component/version-exact CVE counts are upstream pressure indicators, not module-vulnerability counts; distro back-ports are not reflected in the version string, so version-exact is an upper bound. NVD data as of the reference date.
- The risk-triage lens and review-priority are attack-path hypotheses requiring confirmation, not confirmed vulnerabilities; L5 (confirmed exposure) is never reached from public CMVP+NVD data alone. Impact is an expert prior; thresholds are not yet calibrated against expert labels.
- Document grades reflect extraction-friendliness + completeness, not authoring or security quality.
- Terms: CMVP = the FIPS 140-3 validation program/certificate; CSTL = accredited test lab; Security Policy = the per-vendor module PDF; SSP/CSP = protected keys/parameters; OE = operational environment; sunset = certificate end-of-active-window.