Are your code and server FIPS compliant?

Have you ever built a platform with ambitions extending across the pond, specifically targeting the US market? If so, you've likely encountered the enigmatic and essential concept of FIPS compliance. But fear not, intrepid developer, for this blog post acts as your map through this compliance labyrinth.

Firstly, let's demystify the acronym. FIPS stands for Federal Information Processing Standard, a set of strict security regulations for cryptographic modules (CMs) used by US government agencies. Think of it as a baseline security guarantee for software vendors seeking federal contracts.

So, how do you make your platform sing the sweet siren song of FIPS compliance? Here's a breakdown:

• Kernel Crypto API: This core system component manages encryption and decryption operations in the kernel of the operating system. Ensure it's configured for FIPS mode.
• Libgcrypt & OpenSSL: These cryptographic libraries handle your data's encryption and hashing. Make sure they're FIPS-certified versions.
• Docker & Kubernetes, a Compliance Twist: In containerized environments, the responsibility shifts. Your base image needs to be FIPS-compliant, not just the host machine (though both can be for extra security).
• Code Compliance: The Final Frontier: Don't forget your very own code! It needs to leverage FIPS-compliant cryptographic libraries. In Golang, for example, embrace the FIPS-validated "goboringcrypto" library and compile your code using the appropriate FIPS settings.

Remember, FIPS compliance isn't just a checkbox; it's about building trust and security for your US-based customers. By following these steps and consulting the provided resources (including Wikipedia, GitLab's FIPS guide, and Igor Kupczyński's insightful Golang article), you can ensure your platform sails smoothly through the FIPS compliance waters.

Additional Tips:

• Testing is key! Utilize tools like "fips-detect" to verify your system and code are truly FIPS-compliant.
• Stay updated. FIPS standards evolve, so keep an eye on new regulations and library versions.

As you navigate this path, remember, FIPS compliance doesn't have to be an odyssey. With the right map and a bit of guidance, you can build secure, US-ready software that truly shines.

References:

https://en.wikipedia.org/wiki/FIPS_140

https://docs.gitlab.com/ee/development/fips_compliance.html

https://kupczynski.info/posts/fips-golang/