FIPS-Verified Istio and Envoy
Accelerate your FedRAMP approval process and meet compliance standards including HIPAA, PCI DSS and GDPR
At Tetrate, we’re proud to offer FIPS-compliant solutions that meet the highest standards for security and encryption. Whether you are looking to improve your security posture with a Zero Trust Architecture (ZTA), comply with U.S. government Executive Orders, or implement FIPS 140-2 validated modules for encrypting data in transit, Tetrate offers a FIPS-verified distribution of Istio and Envoy.
Tetrate Istio Subscription
Tetrate Istio Subscription delivers the confidence and compliance you need to run Istio and Envoy in highly regulated, production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS verified and meets the requirements of organizations seeking FedRAMP authorization.
FIPS and FedRAMP
Cloud services used by the federal government typically need FedRAMP approval for authority to operate. To get that approval, they must comply with the Federal Information Processing Standards (FIPS). For cryptography, this means that if you’re a U.S. government agency or a vendor or contractor supplying the government, you must use FIPS 140-2 compliant modules wherever encryption is required. If you want to use Istio or Envoy in those systems, you can’t use the stock community builds of Istio and Envoy, since they don’t use FIPS-compliant
cryptography modules and are thus not suitable for a FedRAMP environment.
For more information, read our primer for Zero Trust and FIPS for Cloud Native Applications.
What Is FIPS Validated vs Verified vs Certified
As part of Cryptographic Module Validation Program (CMVP), NIST authorizes independent labs to audit cryptographic modules submitted for review. Modules that pass this review are said to be FIPS validated. The validation status of all modules submitted to CMVP is published via a publicly searchable database.
Software that uses FIPS-validated cryptographic modules may need additional verification from an accredited testing lab that those cryptographic modules are used correctly in order to be authorized by a program like FedRAMP. Such software is said to be FIPS verified.
Certification is an industry term used to apply more generally to programs like CMVP that seek to provide provable compliance with a standard. In the context of FIPS 140, certified essentially means validated.
Take the next step
Learn how we can help you scale service mesh success across your enterprise.