Preparing for FIPS validation with AQtive Guard↑

Achieving FIPS 140-2/3 validation (or accreditation) is a rigorous process that confirms your cryptographic modules meet stringent security requirements for use in sensitive federal environments. AQtive Guard (AQG) is an indispensable tool that can significantly streamline and strengthen your organization’s preparation for FIPS validation.

Why use AQtive Guard for FIPS?↑

The FIPS validation journey requires not only using approved algorithms and key lengths (which AQG excels at verifying), but also independent validation of your cryptographic implementations. AQG empowers you to build a robust foundation for this process.

Thorough internal preparation before official submission is crucial for FIPS 140 validation. By leveraging AQG for extensive testing and documentation, you can significantly minimize findings before engaging a NIST-accredited testing lab. This directly reduces validation costs, time, and the need for iterative re-submissions, leading to a much smoother and faster path to validation.

Step-by-step FIPS preparation↑

Here’s a recommended step-by-step process for leveraging AQG in your FIPS validation preparation.

Step 1: Understand Your FIPS scope and requirements↑

Before you begin scanning for FIPS validation, first clearly define your scope. This involves identifying each system’s cryptographic boundary. Once these boundaries are identified, pinpoint the specific applications, systems, and cryptographic modules within them that must comply with FIPS 140-2/3.

Within these defined boundaries, pinpoint the specific applications, systems, and cryptographic modules that need to comply with FIPS 140-2/3. This will guide your AQG scanning strategy.

Important

FIPS 140-2/3 validation applies to a specific cryptographic module, not necessarily entire applications or networks. Your validation will focus on proving that where cryptography is required, it is performed by a FIPS-validated module.

Step 2: Ingest relevant assets into AQtive Guard↑

Ensure all applications, network segments, and file systems within your FIPS validation scope are configured in AQG for scanning. This comprehensive visibility is the starting point for any cryptographic assessment.

Step 3: Configure and run scans with the NIST profile↑

The AQtive Guard NIST Profile is your primary tool for FIPS preparation. It’s designed to verify the use of cryptographic best practices derived from the NIST SP 800 series, which are foundational to FIPS validation.

Apply the NIST profile. Apply the NIST Profile to analyze data for applications, networks, and file systems. AQG will analyze cryptographic objects, algorithms, key lengths, and certificate configurations against the rules within this profile.
Run scans. Run comprehensive scans across your defined validation scope for any data ingestion that isn’t automated.

Step 4: Analyze scan results and identify cryptographic weaknesses↑

Once your scans are complete, review the AQG reports generated from the NIST Profile. This initial assessment provides immediate visibility into your cryptographic posture.

Focus on Critical or High severity issues. Identify and prioritize all flagged issues, particularly those related to:

Weak algorithms. Use of outdated or insecure cryptographic algorithms. FIPS 140-3, Annex A
Inadequate key lengths. Keys not meeting minimum security strength requirements, such as keys that are too short. NIST SP 800-131A Rev. 2, NIST SP 800-131A Rev. 3 (Initial Public Draft)
Insecure protocols. Use of deprecated TLS/SSL versions. NIST SP 800-52 Rev. 2
Weak random number generators or insufficient entropy. Fundamental flaws that can undermine the security of all cryptographic operations that rely on randomness. NIST SP 800-90A Rev. 1, NIST SP 800-90B
Expired, invalid, or untrusted certificates, as well as certificate chain issues. NIST SP 800-52 Rev. 2
Key management issues, such as key reuse or insecure key storage. NIST SP 800-57 Part 1

Step 5: Prioritize and remediate identified issues↑

Address the cryptographic vulnerabilities identified by AQG. Remediating these foundational issues is a critical prerequisite for FIPS validation.

Immediate remediation. Prioritize fixing easily identifiable and high-impact issues such as:

Updating to approved algorithms and sufficient key lengths.
Upgrading to secure protocols, such as TLS 1.2/1.3.
Replacing expired or invalid certificates.

Step 6: Focus on FIPS implementation validation↑

This step moves beyond general cryptographic hygiene to address the specific FIPS requirement for validated implementations. For many federal and regulated environments, using cryptography that has undergone a formal validation process is mandatory. This validation is performed by the Cryptographic Module Validation Program (CMVP), a joint U.S. (NIST) and Canadian (CCCS) program. The CMVP tests and validates cryptographic modules against the FIPS 140 series of standards (currently FIPS 140-2 and FIPS 140-3), confirming they meet stringent security requirements for implementing FIPS-approved algorithms and cryptographic functions.

Note

As of September 21, 2026, all FIPS 140-2 validated cryptographic modules will transition to historical status, requiring a shift to FIPS 140-3 validated modules for new procurements and deployments.

For Java applications (Coming soon). After scanning one or more Java applications in AQG, apply the Java Provider Check rule. If all cryptographic operations within your Java applications successfully pass this rule, it verifies they’re using a FIPS-approved Java Cryptographic Provider operating in FIPS-approved-only mode. This provides strong, direct evidence that those applications meet FIPS compliance requirements under CMVP validation.

For other applications, network, and file system scans. AQG helps you confirm the use of approved algorithms and sufficient key lengths. This is a necessary foundation for any FIPS validation effort. Address historical modules. Additionally, use these scans to identify any FIPS 140-2 validated modules deemed historical by NIST under NIST SP 800-56A Rev 3. You’ll need to plan for their replacement with currently validated alternatives and document this in your Plan of Action and Milestones (POA\&M).

For more details on the CMVP and its validation process, refer to the official NIST CMVP website.

Step 7: Document and prepare for validation↑

FIPS validation requires comprehensive documentation of your module’s design, implementation, and testing. AQG can significantly aid in compiling this evidence.

Export AQG data. Export detailed scan data from AQG to provide a snapshot of your cryptographic inventory, identified issues, and evidence of remediation progress. Reports using this data serve as concrete evidence of your adherence to cryptographic best practices, which an accredited testing lab will review as vendor evidence.
Map findings to FIPS requirements (S-13 control). Demonstrating exactly where and how cryptographic functions are performed is a key part of FIPS validation. AQG provides crucial data for this, directly supporting the SC-13 control (a FedRAMP/NIST requirement). Its comprehensive discovery capabilities are invaluable for informing and cross-referencing your cryptographic module inventory, helping you:
- Identify where cryptographic functions are being performed, including specific applications, network devices, operating systems.
- Determine which cryptographic components or libraries are in use.
- Identify the cryptographic algorithms and key lengths being utilized by these components.
- Flag if components are using algorithms or modes that are not FIPS-approved or are considered historical.
Maintain a cryptographic module inventory. While AQG identifies usage, you will need to compile a separate inventory of all cryptographic modules, their FIPS validation status (including CMVP certificate numbers), and their role in your system. AQG data helps you populate this inventory accurately and ensures that the modules you claim are FIPS-validated are indeed the ones actively in use and correctly configured.

Step 8: Engage with formal validation↑

Once outstanding issues are addressed and documentation compiled using AQG data, you’re ready for the formal validation of your cryptographic modules.

Formal FIPS Validation Process. For full FIPS validation, your underlying cryptographic modules must be tested by a NIST-Accredited Cryptographic and Security Testing (CST) Laboratory. These laboratories are specifically accredited by the National Voluntary Laboratory Accreditation Program (NVLAP), which is part of NIST. After successful testing, the module receives a FIPS 140-2/3 validation certificate from NIST’s Cryptographic Module Validation Program (CMVP). Your AQG data will be a crucial asset in demonstrating your due diligence and cryptographic posture during this assessment.
Leveraging a Third-Party Assessor (3PAO). While 3PAOs are primarily known for their role in FedRAMP assessments, they can also play a valuable part in preparing for or reviewing your FIPS posture. They can help bridge the gap between your internal FIPS readiness and the formal validation process, leveraging your AQG data to assess your cryptographic implementations before engagement with an NVLAP-accredited lab.

Step 9: Implement Continuous Monitoring↑

FIPS compliance is not a one-time event. It requires ongoing vigilance.

Regular scans. Implement regular, automated scans with AQG using the NIST Profile.
Proactive detection. This ensures that new cryptographic issues are quickly identified, and any drift from your compliant posture is immediately flagged, allowing for proactive remediation.