redpanda-data
FIPS 140-3 compliance
Who is this for and what problem do they have today?
- For environments where FIPS 140-3 compliance is required
- US federal agency requirement
What are the success criteria?
- Complies with FIPS 140-3
Why is solving this problem impactful?
- Required to deployment in Federal agencies
Additional notes
@mattschumpert - we should publish the build w/ the gnutls weaker crypto extensions.
Sorry, I just saw this. I've added a mention of FIPS 140 to the PRD @emaxerrno.
As far as I can tell FIPS 140-3 is relatively "new" (2020) and FIPS-validated OpenSSL providers (OpenSSL, SafeLogic, etc.) have yet to complete certification for 140-3.
Here is a snippet of a blog post by OpenSSL on Sept 30, 2022.
The project recently finished a FIPS 140-2 validation which will satisfy any immediate needs for NIST approved cryptography. However, beginning in September 2021, NIST is transitioning to the more recent FIPS 140-3 standard which means that a FIPS 140-3 validation will be required before the FIPS 140-2 validation is subject to their sunsetting policy - which is typically five years after the validation is granted.
...
As announced at the ICMC22 conference, the project has updated its roadmap to include FIPS 140-3 as the major feature in the OpenSSL 3.1 release series. At this stage, we do not have a timeline for submission let alone for the validation process and issuing of the FIPS 140-3 certificate. However, it is unlikely to complete before 2024.
However, these providers have 140-2 certifications until 2025/2026.
We will likely have to design/test against 140-2 libraries until such time as we can leverage 140-3 validated ones.
