AES 256 is a fantastic cryptographic algorithm. I highly recommend it. Be aware, however, that deploying an algorithm that is approved for use within a FIPS 140-2 validated crypto module is NOT the same as holding a validation. Likewise, just because you’re over 16 years old and know how to operate a vehicle does NOT mean that you have a driver’s license. You may be eligible, but there are steps that must be taken to prove that you meet all of the requirements before you are issued that certificate.
If you get pulled over on the freeway, you had better produce a valid and current driver’s license. (No, McLovin, a real license.) In technology, you had better be able to produce a valid and current listing on the NIST website, showing completion of the Cryptographic Module Validation Program (CMVP) and a confirmed FIPS 140-2 validation.
In order to do so, you must use take your implementation of AES 256 (or another approved algorithm) and undergo thorough testing with the CAVP (NIST’s Cryptographic Algorithm Validation Program) as a prerequisite before your module can even enter the CMVP queue. Once that is complete, then the entire module can be tested to meet the FIPS 140-2 benchmark. Without the independent third party laboratory, without NIST involvement and without a posted validation, you do NOT have FIPS 140-2 validated encryption, you’re NOT eligible for federal procurement, and you’re NOT in compliance for HITECH Safe Harbor in healthcare.
If you are shopping for a solution and need FIPS 140-2, you need it to be validated and posted on the NIST website. Don’t be fooled by phrases like “FIPS compliant algorithms” or “conforming to FIPS standards”. Either it has been validated or it has not. Next time, we will tackle exactly what a FIPS 140-2 validation looks like and what it means, explaining each piece of the certificate listings publicly posted by NIST. Until then, enjoy a quick laugh about the difference between eligibility and certification.