That comes to the topic in my subject. Have you come across products stating that they are validated and compliance instead of Certified and Approved? And you have to explain the meaning behind this.
There is a lot of confusion created due to the use of words and to clarify this, we will use an example with sources you can testify what is really Certified and Approved instead of following Validated guidelines or Compliance to follow certain requirements.
Let's use VMware products as a discussion. You can find out that VMware vSphere, NSX and vSAN is an Approved DISA STIG solution. If you head over to STIG Viewer, you can see the guidelines given to all the approved solution. You find VMware vCenter, NSX, and ESXi as an approved list. VMware vSAN is part of VMware ESXi, in such, it is also updated and stated in the STIG which you can read more from the public post which links to the STIG guideline.
To be part of a solution used in DoD, it has to have DISA STIG approval. However by just following a guideline from DISA STIG only get a solution compliance and not approved. An approved solution needs to be done only by the governance body.
Do not get this confused. Anyone can be in compliance by following a guideline but it does not equal to be approved.
Next, let's talk about Compliance. Let's take FIPS140-2 which is govern by NIST. To know if a solution vendor is certified by NIST for FIPS on their Crypto Module, you can head over to here and search the vendor is listed. When a solution or product claims it is compliance/validated on FIPS, this does not equate to be certified as many thought. The word "Validated" is been misused many a time. To find out the truth, use the search in NIST and key in the Vendor name to be sure.
If you enter VMware, you will see that VMware Cryptography Module is listed this is because vSphere is FIPS certified and uses this module. You can also try other solution such as Redhat, Oracle, Citrix, Nutanix, Microsoft and you will find different results.
Note that FIPS140-2 has also two levels. Where level 1 is applicable only for software and level 2 is applicable only for hardware.
Be very careful when you need a FIPS solution and its claimed to be Validated and not really Validated or even Certified. What do you need as a compliance in your environment stated by your security policy, Is it Validated enough or Certified? Make sure you are certain of it.