Why FIPS Compliance Matters Beyond Government
FIPS 140 is a U.S. federal standard for cryptographic modules—it defines which encryption algorithms and implementations the government trusts. Initially, this seemed like a government-only concern. But if you sell to any U.S. federal agency, FIPS compliance is non-negotiable: no FIPS validation certificate, no contract. Healthcare organizations (HIPAA-regulated) often require FIPS for encryption. Financial services (PCI-DSS) sometimes require it. Major cloud providers offer FIPS endpoints for customers in regulated industries. A single FIPS validation can unlock entire market segments.
FIPS 140-3 is the current U.S. federal cryptographic standard. It specifies approved encryption algorithms and security requirements for cryptographic modules. Organizations handling federal information or selling to government must use FIPS-approved cryptography.
graph TD US["U.S. Federal Requirements"] US --> Rule1["OMB Circular A-130"] US --> Rule2["FISMA"] US --> Rule3["DoD Contracts"] Rule1 --> Approved["Use FIPS-Approved<br/>Algorithms"] Rule2 --> Approved Rule3 --> Approved Approved --> AES["AES-256<br/>SHA-256<br/>RSA-2048"] Approved --> Exclude["Exclude<br/>DES, MD5<br/>SHA-1"] AES --> Certified["FIPS 140-3<br/>Certified Module"] Exclude --> Certified Certified --> Deploy["Deploy in<br/>Government Systems"] style Certified fill:#ccffcc style Exclude fill:#ffccccWhy Governments Require FIPS
1. Trust in Cryptography
Governments cannot depend on unverified encryption. FIPS ensures approved algorithms (only cryptographically sound methods like AES, SHA-2, etc.), weak algorithms are excluded (outdated methods like DES, MD5, SHA-1 are not approved), implementation quality (modules are tested for correct implementation), and no backdoors (reviewed by cryptographic experts).
2. Compliance with Regulations
U.S. federal law requires compliance through several mandates. OMB Circular A-130 requires federal agencies to use FIPS-approved cryptography. FISMA (Federal Information Security Management Act) makes FIPS compliance mandatory. DOD Contracts require FIPS-validated products. Export Controls allow FIPS products to be exported without special license.
3. Competitive Requirement
Organizations selling to government must be FIPS-compliant. With FIPS 140-2 validation certificate, you can bid on contracts. Without FIPS validation, you cannot sell to government.
FIPS Approved Cryptographic Algorithms
Approved Encryption (Symmetric)
Algorithm | Key Size | Status |
|---|---|---|
AES | 128, 192, 256-bit | Approved ✅ |
3DES | 168-bit | Approved (legacy) ⚠️ |
RC5 | 40-128 bit | Not approved ❌ |
Approved Hashing (Cryptographic Hash Functions)
Algorithm | Status |
|---|---|
SHA-256 | Approved ✅ |
SHA-384 | Approved ✅ |
SHA-512 | Approved ✅ |
SHA-1 | Not approved ❌ (cryptographically broken) |
MD5 | Not approved ❌ (cryptographically broken) |
Approved Key Exchange
Method | Status |
|---|---|
Elliptic Curve Diffie-Hellman (ECDH) | Approved ✅ |
Diffie-Hellman (DH, 2048+ bits) | Approved ✅ |
RSA (2048+ bits) | Approved ✅ |
Approved Digital Signatures
Algorithm | Status |
|---|---|
RSA (with SHA-256/384/512) | Approved ✅ |
ECDSA (with SHA-256/384/512) | Approved ✅ |
DSA | Deprecated (no longer approved) ❌ |
FIPS 140-2 vs FIPS 140-3
FIPS 140-2 (Legacy)
Status: Being phased out, legacy standard. Validation: approximately 300 modules validated. Key Requirements include documented cryptographic algorithms, physical security for hardware modules, role-based access controls, and self-tests and error detection.
FIPS 140-3 (Current Standard)
Status: Current standard, new validations preferred. Validation: 50+ modules validated and growing. Improvements over 140-2 include updates for modern cryptography, better support for cloud and virtual environments, stronger security requirements, and enhanced documentation requirements.
Timeline: NIST phased out 140-2 validations in 2026. All new systems should use FIPS 140-3 validated modules.
CMVP: The Validation Process
CMVP (Cryptographic Module Validation Program) is the joint NIST-CSE program that validates cryptographic modules:
The validation process follows five steps. First, the Vendor Submits Module when a company submits cryptographic module for testing. Second, Testing Lab Evaluates it against FIPS requirements. Third, Testing Lab Reports detailed test report to NIST. Fourth, NIST Review occurs as NIST reviews compliance and issues certificate. Finally, Public Certificate is added to validated products list (public database).
What gets validated includes cryptographic modules (the actual encryption code/hardware), not applications. Vendors use validated modules in their products. For example, OpenSSL has a validated cryptographic module that is used in thousands of applications.
To check if a product is FIPS-validated, consult the NIST public list of validated modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program/. An example search would look for Product: OpenSSL 3.0.1, Certificate: #4282, Status: Validated for FIPS 140-2.
FIPS 140 Security Levels
FIPS 140 defines four security levels for cryptographic modules (primarily for hardware):
Level 1
Requirements are minimal. Algorithm specification must be met. Software modules can meet Level 1. No physical security is required. Example: Standard OpenSSL library.
Level 2
Requirements are moderate. Approved cryptographic algorithms are required. Role-based access controls are needed. Audit logs are required. Physical locks and access controls are needed. Example: Hardware security modules (HSMs) with basic physical security.
Level 3
Requirements are strict. Identity-based access control is required. Physical tamper detection is required. Zeroization of sensitive data on tampering is required. Example: High-security HSMs, military-grade devices.
Level 4
Requirements are maximum. Physical tamper response is required. Environmental sensors are required. Active defense against attacks is required. Example: NSA-approved cryptographic modules.
In practice: Most organizations use Level 1-2 modules for compliance.
Using FIPS in Containers and Cloud
FIPS-Validated OpenSSL Module
Many base images include FIPS-validated OpenSSL:
# Use FIPS-validated base imageFROM rhel/rhel9:latest # Enable FIPS modeRUN fips-mode-setup --enable # Verify FIPS is enabledRUN openssl version# Output: OpenSSL 3.0.1 FIPS 15 Feb 2022 (OpenSSL 3.0.1)Cloud Providers and FIPS
Google Cloud supports FIPS via Cloud Run with an environment variable:
# Cloud Run supports FIPS# Set environment variablegcloud run deploy myapp \ --set-env-vars=FIPS_MODE=true # Uses FIPS-validated cryptographic modulesAWS provides FIPS support through CloudHSM (FIPS 140-2 Level 3 hardware module) and KMS (FIPS-approved encryption operations).
Azure offers FIPS 140-2 Level 2 validated Azure Key Vault and FIPS 140-2 Level 3 Azure Dedicated HSM.
FIPS in Federal Contracts
If your organization sells to the U.S. government, several compliance requirements apply.
Procurement Requirement
Government RFP (Request for Proposal) typically states: "Software must be FIPS 140-2 compliant." This means you must use only FIPS-approved algorithms, use FIPS-validated cryptographic modules, provide CMVP certificate numbers, and document compliance in security documentation.
Contract Language
Federal contracts often include clauses like: "All cryptographic modules used for protecting Federal information must be FIPS 140-2 validated. Vendor must provide CMVP certificate number and validation report."
Compliance Verification
Federal procurement teams verify cryptographic modules by checking the CMVP list for validation certificates, verify all encryption uses FIPS-approved list, review security documentation, and may request cryptographic testing results.
Implementing FIPS Compliance
Step 1: Audit Your Cryptography
Identify all cryptographic operations. For encryption, if AES is used for data at rest, that's FIPS-approved. If Salsa20 is used, that's not FIPS-approved. For hashing, if SHA-256 is used, that's FIPS-approved. If MD5 is used anywhere, that's not FIPS-approved. For key management, if TLS 1.2+ is used, that's FIPS-approved. If SSLv3 is used, that's not FIPS-approved.
Step 2: Replace Non-Compliant Algorithms
# ❌ Not FIPS-approvedimport hashlibhash_obj = hashlib.md5(data) # MD5 is broken # ✅ FIPS-approvedimport hashlibhash_obj = hashlib.sha256(data) # SHA-256 is approvedStep 3: Use FIPS-Validated Modules
FROM rhel/rhel9:latest# RHEL includes FIPS-validated OpenSSL (certified #4282) RUN fips-mode-setup --enable# All cryptographic operations use FIPS-validated moduleStep 4: Verify Compliance
# Check if FIPS mode is enabledopenssl version# Output should include "FIPS" # Verify only approved algorithms are usedopenssl list -cipher-algorithms | head# Should show AES, not DES or other non-approved ciphersCleanStart and FIPS
CleanStart Source Intelligence Core supports FIPS-validated deployments by generating FIPS-compliant base images, validates algorithms by scanning containers to ensure only FIPS-approved algorithms are present, enforces FIPS compliance through admission control, generates compliance reports for federal audits, and uses FIPS-approved algorithms for SBOM and VEX signatures.
FIPS Best Practices
Use current standards by prioritizing FIPS 140-3 over 140-2 for new projects. Validate modules by always using FIPS-validated cryptographic modules. Check the CMVP list to verify product validation certificates on official list. Replace weak algorithms by eliminating MD5, SHA-1, DES from your stack. Document compliance by maintaining records of which modules are FIPS-validated. Update regularly to stay current with FIPS requirements and cryptographic best practices. Test compliance by regularly auditing your environment for non-compliant algorithms. Engage early in government contracts by addressing FIPS requirements in design phase.
Common FIPS Misconceptions
Myth 1: "FIPS Makes Encryption Stronger"
Reality: FIPS doesn't make encryption stronger; it ensures you use strong encryption.
Myth 2: "FIPS Requires Hardware Modules"
Reality: FIPS 140-2 Level 1 can be software-based. Hardware is for Levels 2-4.
Myth 3: "FIPS-Validated Means No Vulnerabilities"
Reality: FIPS validates algorithm implementation, not absence of all security bugs.
Myth 4: "Compliance is a One-Time Effort"
Reality: FIPS compliance requires ongoing monitoring and updates as standards evolve.
Related Concepts
Supply Chain Security involves FIPS compliance as part of federal supply chain requirements. Cryptographic Agility provides ability to switch algorithms as standards change. Key Management includes FIPS requirements for secure key handling. Secure Configuration requires FIPS to use documented, repeatable security practices.
Further Reading
NIST FIPS 140-3 Standard - Official specification. CMVP Validated Module List - Public list of validated products. FIPS 140-2 Standard - Previous standard. OMB A-130 Memorandum - Federal cryptography requirements.