FedRAMP and FIPS 140-2 Cryptography

Graham Steel
October 27, 2020

If you want to supply cloud-based services to the US Federal Government, you have to get FedRAMP approval. This certification process covers a whole host of standard security issues, but is very specific about its requirements on cryptography: according to rule IA-7, you have to use FIPS 140-2 validated modules wherever cryptography is needed.

This is a stronger requirement than just using the NIST recommended (or "FIPS compliant") algorithms: you have to be able to show that the implementation of these algorithms has passed a FIPS 140-2 validation in an approved lab.

Proving that your application uses only these modules can be time-consuming for large applications. For example in Java, if you call cryptography through the standard JCE interface without giving an explicit provider, the JVM figures out at run-time which provider should respond based on the algorithms available and the provider order.

On top of this, the current Bouncy Castle FIPS implementation (which is the only show in town as far as software-only FIPS 140-2-validated Java providers go at the moment) can run in both FIPS and non-FIPS mode. Setting FIPS mode is also a run-time property, and not stable across threads.

screenshot of the FIPS verifier rule in Cryptosense Analyzer
Cryptosense Analyzer highlighting non-FIPS validated modules in use

Fortunately you don't have to do this by hand any more: Cryptosense Analyzer can now detect whether a FIPS-validated module has been used in the right mode, and produce reports that enable you to export issues to developers or vendors for fixes, or submit to an auditor to show you're complying with the requirement.

Find out more about how Cryptosense Analyzer helps detect FIPS validated crypto modules get in touch for a demo.