Federal information systems need FedRAMP approval for authority to operate.  To get that approval, they must comply with the Federal Information Processing Standards (FIPS). For cryptography, this means that if you’re a U.S. government agency or a vendor or contractor supplying the government, you must use FIPS 140-2 compliant modules wherever encryption is required. If you want to use Istio or Envoy in those systems, you can’t use the stock community builds of Istio and Envoy, since they don’t use FIPS-compliant cryptography modules and are thus not suitable for a FedRAMP environment.

Tetrate enables government organizations to meet this requirement by supplying Istio users with the first FIPS-verified open source distribution of Istio and Envoy as part of Tetrate’s hardened and performant Tetrate Istio Distro

In this article we will lay out the basics of FIPS compliance, what it means for Istio and Envoy, and the surest way to get to production with Istio in a FIPS-regulated environment.

TL;DR

  • Software used by federal information systems must be FIPS compliant.
  • Stock builds of Istio and Envoy are not FIPS compliant.
  • Tetrate offers the first FIPS-certified builds of Istio and Envoy with its open source Istio distribution, Tetrate Istio Distro, plus enterprise support with Tetrate Istio Subscription.

To find out more about FIPS and Istio, download our free Primer on Zero Trust and FIPS for Cloud Native Applications.

What Is FIPS and Why Does it Matter?

FIPS is a set of standards for information processing systems that all U.S. federal agencies, contractors, and vendors must adhere to. FIPS is also widely regarded as a set of robust and trustworthy security standards that is often adopted by private sector organizations.

A key part of FIPS governs cryptographic modules, the specialized hardware, software, and firmware that encrypt data to ensure privacy and authenticity. NIST offers the Cryptographic Module Validation Program (CMVP) to ensure that validated modules are safe and approved for use in federal information systems.

As part of CMVP, NIST authorizes independent labs to audit cryptographic modules submitted by vendors for review. Modules that pass this review are said to be FIPS validated. The validation status of all modules submitted to CMVP is published via a publicly searchable database.

If you want to run software that does cryptography for the U.S. government, you have to make sure its crypto modules are validated by one of those labs.

Golang and Envoy Cryptography and FIPS Compliance

Istio and Envoy are not built against validated crypto modules by default. Because of this, the stock community builds of Istio are not FIPS-compliant, either. But, it is possible to compile against FIPS-validated crypto modules to produce a FIPS-compliant build. The trick is where to find a build of Istio that you can trust is properly compiled against FIPS-validated crypto. There are at least two ways to go about creating a distribution that can be verified by a third party as compliant with FIPS and suitable for FedRAMP. 

Fork and validate. One way is to fork an existing crypto library and go through the process of having it validated by CMVP. The forking approach has the sole advantage of listing the vendor of the forked module in the CMVP database. Unfortunately, this approach also has significant downsides: the forked module must be maintained by the vendor and is subject to the inevitable risk that highly sensitive cryptography will drift from the more well-maintained upstream version of the module.

Reuse and verify. The other approach—the one we took with Tetrate Istio Distro—is to compile against a crypto module that has already been validated by CMVP and then have the build process verified as FIPS-compliant by a third-party laboratory. We took this approach for TID because we think it is by far the best for our users. And, while this means Tetrate doesn’t show up in the CMVP database by name, we eliminate the risk of a drifting fork for our users and we offer only the smallest and most well-scrutinized footprint of sensitive cryptographic code that must be FIPS validated.

Tetrate’s FIPS-Verified Istio and Envoy Builds Are Certified for Use in FedRAMP Environments

For Tetrate Istio Distro’s FIPS-compliant builds, we compile Istio—and its data plane of Envoy proxies—to use BoringSSL which, in turn, uses a core module called Boring Crypto. Boring Crypto is FIPS 140-2 validated (Certificate #3678). You can read about the specific details of how this is done in the TID documentation.

We then engage an NVLAP-accredited testing lab to verify that our distribution uses the CMVP-validated crypto module correctly. As part of Tetrate Istio Subscription, our customers receive a certificate of compliance along with access to our FIPS-certified builds to ensure that their use of Istio satisfies FedRAMP’s requirements for authority to operate.

Download Our Primer on Zero Trust and FIPS

If you want to know more about FIPS and the role it plays more broadly in zero trust security, you can download our free Primer on Zero Trust and FIPS for Cloud Native Applications. If you’re interested in using Tetrate’s FIPS-compliant Istio, check out Tetrate Istio Distro and Tetrate Istio Subscription, or download our PDF on FIPS-Certified Istio and Enterprise Support from the Founders and Maintainers of Istio and Envoy.

Author(s)