Background: Medical startup (first product) - device is a point of care x-ray system which interfaces with PACS/DICOM storage through Wi-Fi. The Veterans Health Administration when initiating an enterprise risk assessment asks for a FIPS 140-2 certification number for any wireless networked devices.
Question: It could very well be that our device is not FIPS 140-2 compliant, but if it is, how would we demonstrate compliance? For the purpose of the VHA ERA this information is submitted through the form on the VA Directive 6550 Appendix A simply asking for the certification number. Would this need to be a custom certification for our (software) system? Or just a reference to the underlying cryptographic module that has a certification number already on file with the NIST database?
Details: Device is running a java application that manages all network traffic - contains OpenSSL 3.0 using AES 256 algorithm - running on a Debian 10 OS on an Intel NUC with an Intel network adapter.
Thanks for any assistance,
Tom
Question: It could very well be that our device is not FIPS 140-2 compliant, but if it is, how would we demonstrate compliance? For the purpose of the VHA ERA this information is submitted through the form on the VA Directive 6550 Appendix A simply asking for the certification number. Would this need to be a custom certification for our (software) system? Or just a reference to the underlying cryptographic module that has a certification number already on file with the NIST database?
Details: Device is running a java application that manages all network traffic - contains OpenSSL 3.0 using AES 256 algorithm - running on a Debian 10 OS on an Intel NUC with an Intel network adapter.
Thanks for any assistance,
Tom
