FIPS 140-2 Validated

Tetrate’s FIPS-compliant Istio-powered service mesh is designed for organizations that must comply with NIST FIPS 140-2 standards. Tetrate implements cryptographic modules that have been validated by the NIST—making your environment more stable and secure with less operational overhead. Built on a foundation of Zero Trust, Tetrate Istio Distribution (TID) meets strict federal government cybersecurity requirements of NIST FIPS 140-2 and FIPS 140-3 standards. 

Key Features:

• Hardened, performant distribution of 100% upstream Istio and Envoy
• FIPS-verified builds of Istio suitable for FedRAMP
• Compatibility testing for the major cloud providers, including AWS, Azure, and GCP
• Improved Istio installation and lifecycle management
• Expanded version support and maintenance
• Long-term support (LTS for N-4 which is typically 15 months of Istio releases)
• Production lstio support and services

You can access this distribution now from Tetrate (see tetratefips-v0) or choose Tetrate Istio Subscription, which includes support for this new distribution. This verified distribution is also included in the US Government’s Iron Bank repository for verified software. 

---

What Is FIPS 140-2 And What Does FIPS Validated Mean?

Most large organizations have compliance obligations around FIPS. These include customers in the U.S. Government, but many businesses consider FIPS a best practice that helps them meet other regulatory requirements and industry best practices. 
Federal Information Processing Standards (FIPS) 140-2 is a U.S. government standard defined by the National Institute of Standards and Technology (NIST). It specifies the security requirements that must be satisfied by a cryptographic module. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to rigorous testing by independent Cryptographic and Security Testing Laboratories, accredited by NIST.

---

FIPS Certification Levels

There are two levels of FIPS adherence; FIPS compliant and FIPS certified/validated. 

• FIPS compliant is a self-certification. Meaning the vendor indicates they are adhering to the standards.
• FIPS certified/validated means the product has been tested at a national lab and audited to confirm it adheres to FIPS standards. 

When you use FIPS 140-2 verified (not just compliant) software, you know the specific machine image you are running has been tested, meeting the highest standards required. Additionally, FIPS standards promote interoperability, ensuring that different systems and components can work together seamlessly.

---

Which Organizations Require FIPS 140-2 Compliance?

FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers. FIPS 140-2 has become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. This standard is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance.

Anyone deploying systems into a U.S. federal SBU environment—and this includes cloud services—are required to comply with FIPS 140-2 certification. In other words, the encryption associated with the computer systems, solutions and services used by federal government agencies must meet the minimum standards specified in FIPS PUB 140-2. This has a huge impact on the IT procurement process, as the only solution vendors that can be considered (without obtaining a variance) are those that have had their products validated as being FIPS 140-2 compliant.

---

Where Does FIPS 140 Fit Into The FedRAMP Process?

An important key to understanding the FedRAMP process are the controls required to meet and or exceed the certification process. One specific control pertaining to the protection of sensitive data and the use of cryptographic modules is SC-13.

SC-13 under the “System and Communication Protection” category includes guidance on the use of cryptography. Under this guidance, any use of cryptographic modules requires the organization to meet federal standards and policies. The use of FIPS validated cryptographic modules demonstrates the modules have been properly implemented according to NIST standards and are trustworthy to protect sensitive information. 

FIPS validation helps accelerate your FedRAMP approval process including related controls. SC-13 is applicable to all FedRAMP impact levels. Not to mention, it is related to 28 additional controls, all of which are linked to the use of cryptographic modules.

---

Why Does FedRAMP Use NIST SP 800-53?

Today, NIST SP 800.53 is the de facto standard for IT control baselines in the federal government. One of the key benefits of FIPS 140 is that it can aid in the process of achieving FedRAMP approval. Any third-party software like Kubernetes, Istio and others do not simply inherit the service provider’s FIPS certification. Each software or hardware vendor is responsible for certifying their solution to ensure compliance with the NIST standard.

---

Why Choose Tetrate For FIPS?

Upstream Istio doesn’t provide FIPS-compliant builds suitable for use in regulatory environments. Encryption isn’t enough and if you use purely open source you inherit the burden of developing and maintaining missing security features. Tetrate solves these challenges for you by offering TID Istio and Envoy binaries that are compiled against FIPS validated cryptographic modules and verified by an accredited testing lab to be FedRAMP compliant. TIS subscribers get access to Tetrate’s FIPS verified Istio builds and the corresponding certification of compliance.