Both gateway firmware banks must be running a FIPS-approved firmware version to be considered FIPS-compliant. To determine if the cryptographic module of the gateway has FIPS certified firmware, run the show image version command and verify that both Bank A and Bank B have FIPS-approved firmware versions installed.

To verify that the version(s) you have installed is certified for FIPS 140-2 compliance, see the Certificate Module Validation Program (CMVP) lists on the NIST website at http://www.nist.gov.

Before enabling FIPS approved mode, the show fips-mode command will attempt to detect whether any non-FIPS compliant CLI commands are configured. This can help identify whether any configured CLI commands will automatically be disabled when FIPS approved mode is enabled.

In the example below, the show fips-mode command reveals that FIPS approved mode is disabled and that PTLS link encryption for H.248 registration with CM will not be allowed if FIPS approved mode were to be enabled.

G4xx(super)# show fips-mode 
FIPS Mode:  Disabled
These configuration settings are not FIPS-compliant and
will be automatically disabled if FIPS-mode is enabled:
  set link-encryption h248reg ptls yes

Be aware that the show fips-mode command might not detect all non-compliant configurations. Therefore, the Security Policy must be always used as the definitive source for determining whether a configuration is FIPS compliant.