← Back to Blog

FIPS, Common Criteria, and "Military-Grade" Claims

By Necron Team

Certifications exist for procurement—use them correctly

Security labels are only useful if you treat them as scoped statements:

  • What component is evaluated (software module? secure element? full device?)
  • What boundary is covered (cryptographic boundary / TOE boundary)
  • Which version/configuration is validated
  • What you can verify independently (certificate IDs, Security Targets, vendor docs)

FIPS 140-3: what it actually validates

FIPS 140-3 is the current U.S./Canada cryptographic module validation regime under the Cryptographic Module Validation Program (CMVP).


Key points:

  • FIPS applies to a cryptographic module, not a product marketing bundle.
  • Validation is managed through CMVP (NIST + Canadian Centre for Cyber Security).
  • FIPS 140-3 references ISO/IEC 19790 rather than embedding all requirements directly.
  • The program has moved from FIPS 140-2 to 140-3, and CMVP has published transition milestones.

What to ask a vendor (FIPS)
What is the certificate number / module name?
If they can't provide it, you likely have "designed to meet" rather than validated.


What is inside the cryptographic boundary?
Example: "Secure element firmware module" vs "entire drive product."


What operating mode are you using?
Many modules have FIPS-approved vs non-approved modes; you need the former.


Does your shipped configuration match the validated configuration?
Firmware versions and build options matter.


Common buyer mistake: "Uses AES-256" ≠ "FIPS validated." Algorithm choice is not the same thing as module validation.


Common Criteria: EAL isn't the whole story

Common Criteria evaluates a Target of Evaluation (TOE) against a Security Target (ST) and potentially a Protection Profile (PP).

Evaluation Assurance Levels (EALs) are a standardized "assurance package" ladder. The CC framework defines EALs as increasing levels balancing assurance vs cost/feasibility.


What to ask a vendor (Common Criteria)
  • Security Target (ST): What claims are actually made?
  • Protection Profile (PP): Was the evaluation against a relevant PP for the product category?
  • EAL level: Useful, but secondary to scope.
  • Assumptions: CC evaluations often assume physical security, admin procedures, or specific deployment constraints.

How to interpret EAL in practice

A high EAL on a narrow TOE can be less useful than a lower EAL evaluation that covers the parts you actually deploy. Always read the ST summary and identify what is explicitly in/out of scope.


"Military-grade encryption" is not a certification

"Military-grade" is typically marketing shorthand. Force specificity:

  • Exact algorithms and modes (AES-GCM vs AES-CBC matters)
  • Key generation method + entropy source
  • Brute-force resistance (rate limiting, lockout)
  • Firmware integrity (secure boot, signed updates)
  • Key protection (secure element, extraction resistance)

If a claim can't be pinned to artifacts and boundaries, it's not procurement-grade evidence.


A technical scorecard for encryption hardware claims

Evaluate across five dimensions (each with verifiable questions):


Cryptography: AEAD modes for data (confidentiality + integrity). Correct nonce/IV handling or nonce-free constructions for metadata.


Key protection: Where keys live; whether they're exportable. Hardware-backed enforcement of retry limits / anti-hammering.


Authentication: PIN/passphrase policy enforcement. Optional biometrics: where templates live, fallback behavior.


Firmware + supply chain: Signed updates, secure boot chain. Vulnerability disclosure process.


Operational evidence: Can you export configuration state? Inventory and provisioning controls.


FAQs
Is FIPS 140-3 required outside government procurement?
Not usually, but many regulated buyers adopt it as a shorthand procurement control. CMVP exists to promote validated module use and provide a procurement security metric.


Does Common Criteria EAL7 mean 'unhackable'?
No. EALs are assurance packages; they don't eliminate vulnerabilities or operational failure modes.


If a product is 'FIPS compliant,' is it validated?
Not necessarily. "Compliant" is often marketing; validation should be tied to a specific CMVP certificate.

Ready to encrypt your files locally before they reach the cloud?

Get Started with Necron Vault Manager →