Proving Cryptographic Module Alignment with FIPS
Executive Summary
Auditors conducting CMMC assessments often require direct evidence that the cryptographic module in a deployed product corresponds to a validated FIPS listing on the NIST Cryptographic Module Validation Program (CMVP) database. Without this evidence, a SecureDoc deployment cannot be confirmed as FIPS-compliant, which risks failing a CMMC Level 2 or Level 3 assessment.
This procedure documents a repeatable, defensible method to correlate the cryptographic engine version visible in the SecureDoc client with the corresponding validated module on NIST’s CMVP database.
Affected Environments
Field | Details |
Product | WinMagic SecureDoc |
Affected Versions | SecureDoc 8.x and later (FIPS 140-2 validated modules) |
FIPS Standard | FIPS 140-2 (active); FIPS 140-3- September of 2026 |
Applicable Scenarios | CMMC assessments, auditor validation requests, any compliance requiring FIPS 140-2 or 140-3 |
Operating Systems | All editions of Microsoft Windows 10 and 11 |
Reference | NIST Cryptographic Module Validation Program (CMVP) |
Scope and Key Points
This procedure validates that the deployed SecureDoc cryptographic engine matches the version listed on the NIST CMVP certificate.
Exact version matching is the primary audit requirement — partial matches require additional documentation.
FIPS 140-2 certificates remain valid for currently deployed versions; FIPS 140-3 will be available in future release (September of 2026). This date is subject to change.
If a version mismatch is found, confirm the deployed version falls within the certified boundary before presenting to auditors.
This procedure applies to CMMC audits, and any compliance verification scenario.
Resolution Steps
STEP 1 Locate the Official FIPS Certification | |
Navigate to the WinMagic certifications page and follow the FIPS certification link to the NIST CMVP listing. https://winmagic.com/en/about-us/certifications/
|
STEP 2 Identify the Certified Module | |
On the NIST CMVP page, locate the WinMagic Cryptographic Engine certificate entry. Record the certificate number, module name, and validated software version (e.g., 8.7). The version is required for endpoint validation in Step 4.
|
STEP 3 Validate on the SecureDoc Client Endpoint | |
On a system with SecureDoc installed, right-click the SecureDoc application icon and select “About.” In the About window, locate the Cryptographic Engine version field and record the version string exactly as displayed. SecureDoc Application → Right-click → About
|
STEP 4 Perform Version Correlation | |
Compare the version from the NIST CMVP certificate (Step 2) with the version shown in the SecureDoc client (Step 3).
|
Common Scenarios
Scenario 1 — Auditor Requests FIPS Proof During CMMC Assessment
An auditor asks for direct evidence that SecureDoc’s cryptographic module is FIPS-validated. Navigate to the WinMagic certifications page, pull the NIST CMVP certificate number, and open the About window on a deployed endpoint to show version alignment. Present both screens side by side to satisfy the auditor’s requirement.
Scenario 2 — Deployed Version Differs from Certificate Version
After completing Steps 1 through 3, the endpoint shows a version that does not exactly match the NIST certificate. Check whether the deployed version is covered by the certificate’s boundary documentation. If it is not clearly covered, escalate to WinMagic support before presenting findings to the auditor.
Frequently Asked Questions
Q: What if the cryptographic engine version on the endpoint does not match the NIST certificate? A: First confirm whether the deployed version falls within the validated module boundary. If it does, document that and present it to the auditor. If it does not, escalate to WinMagic support before presenting findings. |
Q: Does FIPS 140-2 validation still count for CMMC assessments? A: Yes. As of this writing, FIPS 140-2 certificates remain active and are accepted for CMMC compliance. Auditors who raise concerns should be informed that FIPS 140-3 is on the WinMagic product roadmap. |
Q: Where do I find the WinMagic FIPS certificate number? A: Navigate to winmagic.com/en/about-us/certifications/ and follow the FIPS link to the NIST CMVP entry. The certificate number is listed on that page. |
Q: Q: Can this procedure be used for audits beyond CMMC? A: Yes. The procedure applies to any situation that requires FIPS validation, including support for a wide range of audit and assessment activities. |
WinMagic Technical Solutions · Internal Reference SD-FIPS-001
SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, and SecureDoc Central Database are trademarks of WinMagic Inc. Other products mentioned herein may be trademarks and/or registered trademarks of their respective owner.
Copyright © WinMagic Inc. All rights reserved. This document is for informational purposes only. WinMagic Inc. makes NO WARRANTIES, expressed or implied, in this document. All specifications stated herein are subject to change without notice.