When selecting a module from a vendor, verify that the application or product that is being offered is either a validated SCAP module itself or product uses an embedded validated SCAP module. Ask the vendor to supply a signed letter stating their product or module is a validated module or incorporates a validated module, the module provides the following SCAP Capabilities (ACS, CVE, and/or OCIL), and reference the modules validation certificate number. The certificate number will provide reference to the above SCAP Validation Program lists of validated modules. Each entry will state what version/part number/release is validated, and the supported platforms the module has been validated. The information on the SCAP Validation Program validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution.