How are you able to use AWS ELBs when they are not FIPS compliant? #2074
Comments
seanorama
changed the title
|
Great question, @seanorama To answer the "how this is possible?" part involves some tea leaf reading, but it seems that FedRAMP today is taking a much harder line on FIPS 140-2 validated cryptography than they did 5 years ago. So cloud.gov and other earlier-authorised CSPs are not running on fully FIPS-validated stacks -- which you've probably noted. We were not required to be fully FIPS-140 initially, and we're now on a path to full FIPS 140 in coming months/years (it's not a short journey, as you're also likely aware). As far as I can tell, FIPS 140 is now a hard requirement to start the FedRAMP authorization process. I may be pulling together a community of practice for small-CSP compliance officers, if you're interested, please email me at [email protected] and I'll let you know when we get that started. Also, if you're actually asking about what plans we have, if any, to provide routing and TLS with FIPS 140, I can help there but not in an open forum. |
|
@seanorama If you have further thoughts/research on FIPS-140, you may want to comment on https://github.com/cloud-gov/private/issues/1217 or cloud-gov/product#2346 -- Thanks! |
My understanding is that FedRAMP authorization requires "FIPS 140-2", but:
However, your docs indicate the user of ELB for TLS connections: https://cloud.gov/docs/compliance/domain-standards/#ssltls-implementation
Can you clarify how this is possible, considering the NIST & FedRAMP requirements for "FIPS 140-2"
The text was updated successfully, but these errors were encountered: