Related Fundamentals: FIPS cryptographic boundaries depend on kernel and container interactions; see How Containers Interact with the Kernel to understand the scope of FIPS enforcement.

The following diagram illustrates the FIPS 140-3 cryptographic module boundary and validated components:

graph TB    A["Application<br/>Code<br/>(TLS, Encryption, Hashing)"] -->|Call| B["FIPS-Validated<br/>Cryptographic<br/>Module Boundary"]     B -->|CMVP Certified| C["OpenSSL 3.0<br/>FIPS Module<br/>#4949"]    B -->|CMVP Certified| D["BoringSSL<br/>FIPS Module<br/>Google Cloud"]    B -->|CMVP Certified| E["libgcrypt<br/>FIPS Module<br/>GnuPG"]     C -->|Provides| C1["TLS 1.2/1.3"]    C -->|Provides| C2["SHA-256/384/512"]    C -->|Provides| C3["AES-GCM"]    C -->|Provides| C4["ECDSA/RSA"]     D -->|Provides| D1["Cloud KMS<br/>Operations"]    D -->|Provides| D2["TLS for<br/>Cloud Services"]     E -->|Provides| E1["GPG<br/>Operations"]    E -->|Provides| E2["Key<br/>Management"]     C1 -->|Kernel| F["Linux Kernel<br/>Network Stack"]    C2 -->|Kernel| F    C3 -->|Kernel| F    C4 -->|Kernel| F     F -->|Outside<br/>Boundary| G["NOT FIPS:<br/>Non-Validated<br/>Operations"]     B -->|Level 2/3| H["Certification<br/>Requirements"]    H -->|Algorithm| I["Correctness<br/>Testing"]    H -->|Physical| J["Tamper<br/>Detection"]    H -->|Documentation| K["NIST<br/>Database"]     style B fill:#99ccff    style C fill:#ccffcc    style D fill:#ccffcc    style E fill:#ccffcc    style G fill:#ffcccc

How CleanStart Implements FIPS 140-3 Cryptography

FIPS 140-3 (Federal Information Processing Standard) specifies requirements for cryptographic modules used in U.S. federal government systems. While often perceived as "government only," FIPS 140-3 is increasingly required by regulated industries (finance, healthcare, defense contractors) and cloud providers (AWS GovCloud, Azure Government, Google Cloud FedRAMP).

CleanStart provides FIPS-validated cryptographic components through verified CMVP modules, enabling organizations to meet FIPS requirements without building custom cryptography.

FIPS 140-3 Levels

CleanStart uses FIPS Level 2 and 3 CMVP-validated modules (appropriate for federal and regulated sectors).

What "FIPS 140-3 Compliant" Actually Means

What It Does NOT Mean

"FIPS-compliant software" doesn't exist (no such thing in standard). "FIPS mode" is vague marketing (actual requirement is specific modules). Running on a FIPS system doesn't make your code FIPS-compliant. Using "FIPS-approved algorithms" isn't sufficient (implementation matters).

What It DOES Mean

Using a cryptographic module that has been tested by NIST/CMVP (Cryptographic Module Validation Program), passed conformance testing for algorithms, keys, randomness, met physical security requirements for its level, provides certified documentation, and is listed in official NIST/CMVP database.

FIPS-Validated Modules Used by CleanStart

OpenSSL 3.x (FIPS Module)

The OpenSSL project provides CMVP-validated FIPS module (published March 2024):

# Check OpenSSL FIPS statusopenssl version # Output (FIPS-enabled version):# OpenSSL 3.0.10 (FIPS module 3.0.10 - CMVP Validated) # Verify FIPS module is activeopenssl md -sha256 /etc/os-release | grep -i fips# If 'provider:fips' appears, FIPS module is in use

CMVP Certification #4949 (OpenSSL 3.0 FIPS Module) supports TLS 1.2/1.3 with FIPS-approved ciphers, SHA-256, SHA-384, SHA-512 (hashing), AES-128/192/256-GCM (encryption), and RSA-PKCS#1-v1_5 and ECDSA (signatures).

BoringSSL (Google's Fork)

Google Cloud and GCP services use BoringSSL, which includes CMVP-validated FIPS support in Google Cloud KMS, Cloud TLS termination, Cloud Load Balancer, undergoing FIPS validation periodically.

libgcrypt (GnuPG)

For systems using GnuPG, libgcrypt provides FIPS support:

# GnuPG FIPS configurationgpg --fips# Enables FIPS mode for cryptographic operations

Implementing FIPS in CleanStart Images

FIPS Base Image

# FROM is FIPS-validated OSFROM ubuntu:24.04-fips# Ubuntu Pro FIPS images available (Canonical) # Install FIPS-validated OpenSSLRUN apt-get update && apt-get install -y \  openssl-fips=3.0.10-fips-1ubuntu1 \  libssl3-fips=3.0.10-fips-1ubuntu1 # Verify FIPS moduleRUN openssl version | grep -i fips || exit 1 # Build application against FIPS OpenSSLCOPY . /srcWORKDIR /srcRUN CC=gcc CFLAGS="-fPIC" LDFLAGS="-L/usr/lib/fips" \  ./configure --with-openssl=/usr/lib/fips && \  make && make install

FIPS-Enabled Service

# Check service uses FIPS modulecleanimg-init --image myapp:1.0.0 --fips-verify # Output:# Base image is FIPS-validated (Ubuntu 24.04-fips)# OpenSSL is CMVP #4949 (FIPS module)# All cryptographic operations use FIPS module# No non-FIPS crypto libraries detected# FIPS compliance verified

FIPS-Approved Algorithms

Hashing (SHA-2 Family)

FIPS-approved hashing algorithms include SHA-256 (most commonly used), SHA-384, and SHA-512. MD5 and SHA-1 are NOT FIPS-approved.

Encryption (AES)

FIPS-approved encryption algorithms include AES-128-GCM, AES-192-GCM, and AES-256-GCM (recommended). DES, 3DES, and RC4 are NOT FIPS-approved.

Key Exchange (TLS 1.2+)

FIPS-approved key exchange methods include ECDHE (elliptic curve) and DHE (Diffie-Hellman). RSA key exchange (deprecated in TLS 1.3) and PSK without PFS (not recommended) are NOT FIPS-approved.

Digital Signatures

FIPS-approved digital signature algorithms include RSA-PSS (with a 2048-bit minimum) and ECDSA (with curves P-256, P-384, P-521). RSA-PKCS#1-v1_5 (deprecated) and DSA (deprecated) are NOT FIPS-approved.

FIPS Configuration Examples

PostgreSQL with FIPS

See: fips-postgresql.md

Redis with FIPS (via stunnel)

See: fips-redis.md

Kafka with FIPS

See: fips-kafka.md

Nginx with FIPS

See: fips-nginx.md

FIPS-Traces: Cryptographic Audit Trail

CleanStart provides FIPS-Traces tool to verify FIPS compliance at runtime:

# Enable cryptographic tracingcleanimg-init --image myapp:1.0.0 \  --fips-traces \  --fips-traces-level=debug # During execution, traces all cryptographic operations:# [FIPS] INIT: OpenSSL 3.0.10 FIPS Module #4949# [FIPS] ALGO: AES-256-GCM (APPROVED)# [FIPS] ALGO: SHA-256 (APPROVED)# [FIPS] KEY: RSA-2048 (APPROVED)# [FIPS] TLS: TLS_AES_256_GCM_SHA384 (APPROVED) # If non-FIPS algorithm attempted:# [FIPS ERROR] Algorithm RC4 is not FIPS-approved - BLOCKED

This proves at runtime that only FIPS-approved algorithms are used.

FIPS Verification Tool

CleanStart includes FIPS-Verifier for automated compliance checking:

# Scan image for FIPS compliancecleanimg-init --fips-verifier --image myapp:1.0.0 # Comprehensive checks:# ✓ Base OS is FIPS-validated# ✓ OpenSSL module is CMVP-certified# ✓ No non-FIPS cryptography libraries detected# ✓ System cryptographic libraries are FIPS-enabled# ✓ Configuration uses FIPS-approved algorithms# ✓ TLS certificates use approved key types# ✓ No deprecated algorithms found # Output: FIPS Level 3 Ready (full compliance)

Common FIPS Pitfalls

Pitfall 1: FIPS Mode ≠ FIPS Compliance

# BAD: Relying on "FIPS mode" settingsudo sysctl crypto.fips=1# This doesn't make software FIPS-compliant by itself # GOOD: Using CMVP-validated modulesopenssl version# OpenSSL 3.0.10 (FIPS module 3.0.10 - CMVP Validated)

Pitfall 2: FIPS-Approved Algorithm ≠ FIPS Module

Using SHA-256 doesn't mean you're using a FIPS module—your implementation might be insecure. FIPS requires: (1) Algorithm approved (SHA-256), (2) Implemented in validated module (OpenSSL FIPS), (3) Module tested by NIST/CMVP (Cert #4949), (4) Module properly configured (not disabled). Only then are you FIPS-compliant.

Pitfall 3: Missing Library Dependencies

# BAD: Application links to non-FIPS librariesldd /usr/local/bin/myapp | grep -v fips# libcrypto.so (system OpenSSL, might not be FIPS) # GOOD: Application links to FIPS modules onlyldd /usr/local/bin/myapp# libssl.so => /usr/lib/fips/libssl.so# libcrypto.so => /usr/lib/fips/libcrypto.so

FIPS Compliance in Federal Contracting

NIST SP 800-171 Requirement

If you have a federal contract, you likely must meet NIST SP 800-171 (Cybersecurity Matric for Non-Federal Information Systems). SC-13 requires cryptographic controls, FIPS-validated modules, NSA-approved algorithms, and secure key management.

CleanStart satisfies SC-13 through FIPS module active (OpenSSL #4949), TLS 1.3 with FIPS-approved ciphers, AES-256-GCM encryption, SHA-256 hashing, RSA-2048 key exchange, and cryptographic key storage protected.

FedRAMP SC-13

FedRAMP High baseline requires SC-13 controls:

# Generate FedRAMP SC-13 compliance evidencecleanimg-init --compliance fedramp --image myapp:1.0.0 \  --control sc-13 # Evidence includes:# - FIPS module validation certificate# - Cryptographic algorithm verification# - TLS configuration audit# - Key management procedures

FIPS and Open Source

OpenSSL FIPS Validation Status

OpenSSL 3.0: CMVP #4949 (Validated, March 2024)OpenSSL 1.1.1: CMVP #3731 (Validated, but EOL as of Sept 2023)OpenSSL 1.0.2: CMVP #1747 (Validated, but EOL)

CleanStart uses OpenSSL 3.0 to ensure current validation.

Custom Cryptography

Do NOT implement your own cryptographic functions—custom encryption never validated. Use OpenSSL FIPS module for production cryptography.

Next Steps

For FIPS implementation guides:

1. Language-specific: See fips-language-implementations.md
2. Database: See fips-postgresql.md, fips-kafka.md, fips-redis.md
3. Web server: See fips-nginx.md
4. Verification: See fips-verifier.md
5. Runtime monitoring: See fips-traces.md

See Also

FIPS Language Implementations: fips-language-implementations.md — Language-specific FIPS support. Post-Quantum Cryptography: post-quantum-cryptography.md — Future-ready crypto. FedRAMP Compliance: ../regulatory/fedramp-high.md — Regulatory requirements.