robotdan
commented
4 weeks ago In theory, anyone could run FusionAuth on a FIPS certified JVM. It is not clear to me if that would be adequate.
The FusionAuth JWT library, which is only piece of the puzzle here, but this library already does allow for a BC FIPS Crypto Provider to be selected at runtime. Example:
It is plausible that this same pattern could be used more generally in FusionAuth as well. But if the request is for a fully supported, tested deliverable that is compatible with FedRAMP - my guess is that requires much more than a technical change, but lots of certifications.
There is no immediate plans to address this - but anything is possible if there is enough demand.
FIPS Validated Cryptographic Modules and FedRAMP Compliance
Problem
As FusionAuth does not use FIPS validated cryptographic modules, the software is not compliant with the requirements for FedRAMP authorization. This creates challenges for organizations that need to meet these federal security standards to adopt or continue using FusionAuth. Additionally, the version of Java currently shipped with FusionAuth (Java 21 as of version 1.53) is not FIPS validated, and FusionAuth does not use Bouncy Castle’s FIPS-certified API, which is a common path for achieving FIPS validation.
Solution
FusionAuth should explore incorporating FIPS validated cryptographic modules into the platform and consider upgrading to or providing an option to use a FIPS validated version of Java. Alternatively, integrating Bouncy Castle’s FIPS-certified API could be an effective approach. This would enable FusionAuth to become FedRAMP authorized and make it easier for federal agencies or organizations working in highly regulated sectors to adopt the platform.
Alternatives/workarounds
support FIPS validated cryptographic modules and are FedRAMP authorized. Another workaround could be enabling customers to configure FusionAuth to use external FIPS-compliant modules manually.
Additional context
FedRAMP authorization and FIPS validation are increasingly becoming critical compliance requirements for U.S. government agencies and contractors, which limits FusionAuth’s market potential in these sectors. Ensuring that cryptographic operations within FusionAuth meet these standards would help broaden the product’s appeal and adoption.
If we implement this, make sure to update the license FAQ: https://fusionauth.io/license-faq#46
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.