NIST, in an e-mailed statement, confirmed the "not-available" status but offered no reasons for it. "However, if non-compliance is discovered in a module after it has been validated, and based on a risk assessment it is deemed to be critical, the CMVP will advise all federal agencies to cease using the affected module," NIST said.

A representative from DOMUS IT Security Laboratory, the Ottawa Canada-based company that is evaluating products for FIPS 140 compliance, referred all questions to the CMVP.

The continuing uncertainly about the status of OpenSSL is sure to prolong what has been a multi-year effort to certify the tool. Much of the delay resulted from a continuing series of tweaks OSSI was required to make to the cryptographic module at the request of the CMVP, said Steve Marquess, validation project manager at OSSI.

Part of the problem stems from the fact that the FIPS requirements were written for hardware-based encryption tools while OpenSSL is software-based. As a result, mapping FIPS' requirements to OpenSSL has proved challenging, Marquess said.

Vendors of commercial products have also raised a constant stream of technology-related questions that have proved time consuming to address.