fusionauth-issues
fusionauth-issues copied to clipboard
FusionAuth
FIPS Validated Cryptographic Modules and FedRAMP Compliance
FIPS Validated Cryptographic Modules and FedRAMP Compliance
Problem
As FusionAuth does not use FIPS validated cryptographic modules, the software is not compliant with the requirements for FedRAMP authorization. This creates challenges for organizations that need to meet these federal security standards to adopt or continue using FusionAuth. Additionally, the version of Java currently shipped with FusionAuth (Java 21 as of version 1.53) is not FIPS validated, and FusionAuth does not use Bouncy Castle’s FIPS-certified API, which is a common path for achieving FIPS validation.
Solution
FusionAuth should explore incorporating FIPS validated cryptographic modules into the platform and consider upgrading to or providing an option to use a FIPS validated version of Java. Alternatively, integrating Bouncy Castle’s FIPS-certified API could be an effective approach. This would enable FusionAuth to become FedRAMP authorized and make it easier for federal agencies or organizations working in highly regulated sectors to adopt the platform.
Alternatives/workarounds
support FIPS validated cryptographic modules and are FedRAMP authorized. Another workaround could be enabling customers to configure FusionAuth to use external FIPS-compliant modules manually.
Additional context
FedRAMP authorization and FIPS validation are increasingly becoming critical compliance requirements for U.S. government agencies and contractors, which limits FusionAuth’s market potential in these sectors. Ensuring that cryptographic operations within FusionAuth meet these standards would help broaden the product’s appeal and adoption.
If we implement this, make sure to update the license FAQ: https://fusionauth.io/license-faq#46
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
