UNCLASSIFIED // FOR OFFICIAL USE ONLY

FIPS 140-2 Attestation

Document ID: VSI-FIPS-2025-001
Version: 2.0
Last Updated: January 1, 2025
Jurisdiction: United States · International
This document attests to VSI Technologies' implementation of FIPS 140-2 validated cryptographic modules across all VSI AI systems and government deployments. FIPS 140-2 (Federal Information Processing Standard Publication 140-2) is the U.S. government standard for cryptographic module validation, required for all federal government information systems processing sensitive but unclassified information and above.
// Table of Contents //
01Standard Overview02Validated Modules03Implementation Details04Approved Algorithms05Deployment Configuration06Government Requirements Mapping07Validation Contact
01
Standard Overview

FIPS 140-2, "Security Requirements for Cryptographic Modules," establishes the U.S. and Canadian government standard for cryptographic module security. Validated under the Cryptographic Module Validation Program (CMVP), jointly operated by NIST and the Canadian Centre for Cyber Security (CCCS).

Validation Levels: FIPS 140-2 defines four increasing levels of security:

Level Description VSI Deployment
Level 1 Basic security requirements. Approved algorithms and functions. Minimum for all VSI deployments
Level 2 Adds tamper-evidence (seals, coatings) and role-based authentication. Standard for government deployments
Level 3 Adds tamper-resistance and identity-based authentication. Available for classified deployments
Level 4 Complete physical security envelope. Highest level. Coordinated per program requirement
FIPS 140-3 Transition
NIST has published FIPS 140-3 as the successor standard. VSI is actively tracking CMVP transitions and will support FIPS 140-3 validated modules as they become available through approved vendors. All current deployments use FIPS 140-2 validated modules.
02
Validated Cryptographic Modules

VSI deployments utilize FIPS 140-2 validated cryptographic modules from NIST-approved vendors. The following table lists the primary cryptographic modules used across VSI platforms:

Module Name Vendor CMVP Cert # Level Use Case
AWS-LC Cryptographic Module Amazon Web Services 4564 1 GovCloud encryption services
Microsoft Azure FIPS Module Microsoft 4536 1 Azure Government deployments
OpenSSL FIPS Object Module OpenSSL Software Foundation 3678 1 Application-layer cryptography
BoringCrypto Module Google 4735 1 Container-level cryptography
SafeNet Luna HSM Thales Group 4423 3 Key management for classified deployments

All validation certificates are publicly verifiable at: csrc.nist.gov/projects/cryptographic-module-validation-program

Module Selection
For each government deployment, VSI confirms that the FIPS 140-2 validated modules in use are appropriate for the information impact level and classification requirements of the program. Clients may request a program-specific cryptographic module attestation signed by VSI's CISO.
03
Implementation Details

VSI implements FIPS 140-2 across all layers of the system stack:

Operating System Level
All VSI production systems operate in FIPS mode at the OS level. Linux deployments use kernel-level FIPS enforcement. Windows deployments use Windows FIPS policy setting. FIPS mode verified as part of system hardening baseline.
Application Level
Application cryptographic operations invoke FIPS-validated module APIs exclusively. Non-FIPS algorithms (MD5, SHA-1, DES, RC4) are disabled in FIPS mode. Legacy protocol versions (SSL, TLS 1.0, TLS 1.1) are not supported.
Key Management
Cryptographic keys generated using FIPS-approved Deterministic Random Bit Generators (DRBGs). Key storage in FIPS-validated HSMs or encrypted key vaults. Key rotation automated per NIST SP 800-57 recommendations. Key destruction follows NIST SP 800-88.
Transport Layer
All external network connections use TLS 1.2 or TLS 1.3 with FIPS-approved cipher suites only. Cipher suite priority list: TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
04
Approved Algorithms

VSI AI systems exclusively use NIST-approved cryptographic algorithms as listed in FIPS 140-2 Annex A. The following algorithms are implemented:

Algorithm Standard Key Size / Parameters Use
AES FIPS 197 128, 192, 256-bit Symmetric encryption
SHA-2 Family FIPS 180-4 256, 384, 512-bit Hashing, digital signatures
RSA FIPS 186-4 2048, 3072, 4096-bit Asymmetric encryption, signatures
ECDSA FIPS 186-4 P-256, P-384, P-521 Digital signatures
ECDH SP 800-56A P-256, P-384 Key agreement
DRBG (Hash) SP 800-90A SHA-256, SHA-384 Random number generation
HMAC FIPS 198-1 SHA-256, SHA-384, SHA-512 Message authentication
PBKDF2 SP 800-132 SHA-256 / SHA-512 Password-based key derivation
Prohibited Algorithms
The following algorithms are NOT used in any VSI FIPS-mode deployment: MD5, SHA-1 (for signatures), DES, 3DES (deprecated), RC4, RC2, Blowfish, SSL 2.0/3.0, TLS 1.0/1.1. Any system component that cannot operate without these algorithms is isolated or replaced before government deployment.
05
Deployment Configuration Requirements

To ensure FIPS 140-2 compliance is maintained in client environments, the following configuration requirements apply to all government deployments:

  • FIPS mode must be enabled at the operating system level on all VSI host systems
  • Client-provided infrastructure must have FIPS mode enabled before VSI system deployment
  • Network devices in the communication path must support FIPS-approved cipher suites
  • Any hardware security modules (HSMs) must be FIPS 140-2 Level 2 or higher validated
  • Key management systems must be FIPS 140-2 validated or operated under equivalent controls
  • Third-party integrations that transmit data must support TLS 1.2+ with FIPS cipher suites
  • Backup and disaster recovery systems must maintain FIPS encryption requirements
Configuration Verification
VSI conducts a FIPS configuration verification check as part of the deployment acceptance process. A signed Configuration Verification Report is provided to the agency ISSO upon completion of each government deployment.
06
Government Requirements Mapping

The following table maps FIPS 140-2 implementation to key federal requirements:

Requirement Source VSI Implementation
Use of FIPS-validated cryptography FISMA, OMB A-130 All modules listed in Section 02
Approved cryptographic algorithms NIST SP 800-53 SC-13 See Section 04 algorithm table
Cryptographic key management NIST SP 800-57 HSM-based, automated rotation
Encryption for data in transit NIST SP 800-52 Rev 2 TLS 1.3 with FIPS cipher suites
Encryption for data at rest NIST SP 800-111 AES-256-GCM, FIPS 140-2 validated
IL4 cryptographic requirements DoD Cloud SRG FIPS 140-2 Level 1+ modules
IL5 cryptographic requirements DoD Cloud SRG FIPS 140-2 Level 1+ in GovCloud
NSS cryptographic requirements CNSSP-15 Coordinated per program
07
Validation Contact
FIPS Attestation Requests
Government program ISSOs and security personnel may request:
• Signed FIPS 140-2 attestation letter (CISO-signed)
• Program-specific cryptographic module inventory
• FIPS configuration verification reports
• Cipher suite documentation for network assessment

Contact: security@vsitechnologies.ai
Subject line: "FIPS ATTESTATION REQUEST - [Program Name]"
Response SLA: 5 business days for government programs
// Document Authorization //
Issuing Authority
VSI Technologies Legal & Compliance Division
Contact
legal@vsitechnologies.ai
Document Control
Reviewed annually or upon material change
Related Documents
Privacy Policy Security Policy Terms & Conditions FIPS 140-2 Classified Engagement
© 2025 VSI Technologies · All Rights Reserved
Privacy Security Terms FIPS 140-2 Classified Home
VSI Technologies · government@vsitechnologies.ai · legal@vsitechnologies.ai · All documents subject to revision · Not legal advice · Consult qualified counsel for compliance determinations