Where can I find FIPS 140-2 Validation Certificates?

Question

Every couple of years we have a CJIS/LEIN audit. That's Criminal Justice Information Systems / Law Enforcement Information Network. 
 One thing we need to show is that the technology we're using has been FIPS 140-2 validated. 
 Where can I find validation certificates for Sophos UTM 9.x? 
 
 Thanks!

Kelvin Desplanque · Accepted Answer

Kris: 
 The most direct way of finding a FIPS 140 certificate (or listing) is to go to the NIST CMVP " Module Validation Lists " web page ( http://csrc.nist.gov/groups/STM/cmvp/validation.html#01 ). From there you can go to see the entire list ( http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ) or alternatively you can go to a list sorted by vendor ( http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm ). Please note that there is also a historical list for FIPS 140 validation which have expired (for one reason or another - http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-historical.htm ). 
 In none of these lists I see anything which matches Sophos UTM 9.X although there is one Sophos listing in the historical list - SafeGuard Cryptographic Engine ( http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-historical.htm#1549 ). It is quite possible that UTM 9.X employs this expired crypto library (Cert #1549) or some other currently FIPS validated crypto library but from what I can tell there is no evidence that it has a current validation. Even a check of the current CMVP FIPS 140-2 Modules in Process List ( http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf ) does not list any Sophos products currently undergoing FIPS 140 evaluation. The Sophos encryption solutions listing ( https://www.sophos.com/en-us/medialibrary/PDFs/other/Sophos%20Encryption%20Comparison%20Chart.pdf ) does seem to allude to the fact that several Sophos products are FIPS certified but unless there is an actual current CMVP validation number associated with a product then I would be cautious in assuming it to be FIPS 140-2 validated. 
 Another possibility is that UTM 9.X has been FIPS 140-2 validated but is listed under some Sophos subsidiary (e.g Utimaco, etc.). 
 As the other gentleman alluded to, perhaps it might be best to inquire with Sophos about this but do ask for a valid certification number on the CMVP website which you can cross reference against. 
 Sincerely, Kelvin Desplanque CISCO (FIPS 140-2 product certification engineer)