Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIPS Validated Cryptographic Modules and FedRAMP Compliance #2905

Open
hollygirouard opened this issue Oct 23, 2024 · 1 comment
Open

FIPS Validated Cryptographic Modules and FedRAMP Compliance #2905

hollygirouard opened this issue Oct 23, 2024 · 1 comment

Comments

@hollygirouard
Copy link

hollygirouard commented Oct 23, 2024

FIPS Validated Cryptographic Modules and FedRAMP Compliance

Problem

As FusionAuth does not use FIPS validated cryptographic modules, the software is not compliant with the requirements for FedRAMP authorization. This creates challenges for organizations that need to meet these federal security standards to adopt or continue using FusionAuth. Additionally, the version of Java currently shipped with FusionAuth (Java 21 as of version 1.53) is not FIPS validated, and FusionAuth does not use Bouncy Castle’s FIPS-certified API, which is a common path for achieving FIPS validation.

Solution

FusionAuth should explore incorporating FIPS validated cryptographic modules into the platform and consider upgrading to or providing an option to use a FIPS validated version of Java. Alternatively, integrating Bouncy Castle’s FIPS-certified API could be an effective approach. This would enable FusionAuth to become FedRAMP authorized and make it easier for federal agencies or organizations working in highly regulated sectors to adopt the platform.

Alternatives/workarounds

support FIPS validated cryptographic modules and are FedRAMP authorized. Another workaround could be enabling customers to configure FusionAuth to use external FIPS-compliant modules manually.

Additional context

FedRAMP authorization and FIPS validation are increasingly becoming critical compliance requirements for U.S. government agencies and contractors, which limits FusionAuth’s market potential in these sectors. Ensuring that cryptographic operations within FusionAuth meet these standards would help broaden the product’s appeal and adoption.

If we implement this, make sure to update the license FAQ: https://fusionauth.io/license-faq#46

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

@robotdan
Copy link
Member

robotdan commented Oct 23, 2024

In theory, anyone could run FusionAuth on a FIPS certified JVM. It is not clear to me if that would be adequate.

The FusionAuth JWT library, which is only piece of the puzzle here, but this library already does allow for a BC FIPS Crypto Provider to be selected at runtime. Example:

It is plausible that this same pattern could be used more generally in FusionAuth as well. But if the request is for a fully supported, tested deliverable that is compatible with FedRAMP - my guess is that requires much more than a technical change, but lots of certifications.

There is no immediate plans to address this - but anything is possible if there is enough demand.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants