Investigation: FIPS compliance [TIMEBOX]

[zhumo]

This issue's remaining effort can be completed in ≤1 sprint. It will be valuable even if nothing else ships.

It is planned and ready to implement. It is on the proper kanban board.

Goal

User story
As a Fleet admin who wants to use Fleet for federal gov't customers,
I want to investigate and know the list of tasks required for us to have a version of Fleet that is FEDRAMP (FIPS, specifically) compliant
so that I can segment where hosts that touch Federal environments will live.

• GOAL: determine what changes would be needed in order to get Fleet to be FIPS compliant and rough estimation of time effort.
• Timebox to 1pt.
• GO / crypto components of GO are not FIPS compliant.
• Video of customer discussing FIPS compliance: https://us-65885.app.gong.io/call?id=5059154534185045873&xtid=53jjjzitncod9h146g9

https://www.sdxcentral.com/security/definitions/data-security-regulations/what-does-mean-fips-compliant/ Customer video: https://us-65885.app.gong.io/call?id=5059154534185045873&xtid=53jjjzitncod9h146g9

Areas where crypto is implicated:

• authentication
• password hashing
• validating SAML responses
• random secret generation
• Fleet desktop "my device" hash
• TLS (connection to mysql and redis)

EXCLUDE

• fleetd (customer-ani is working with 3rd party to work on osquery)
• TUF

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers TODO

Engineering

• [ ] REST API changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Documentation changes complete

Product quality

• [ ] QA complete
• [ ] ...

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): @zayhanlon

QA

QA is not needed for timebox work. Testing plans will be created if / when stories are created.

[sharon-fdm]

My thoughts, this could be a very big item. We can start with brainstorming and mapping the scope of work.

[zhumo]

Hey @zayhanlon we could not get to this issue due to some last minute issues from customers. We'll get to this next sprint.

[zayhanlon]

Is it possible to complete this during merge freeze? @zhumo

[zhumo]

I think that's a quesetion for @sharon-fdm ^^^

[sharon-fdm]

@zhumo @zayhanlon @lucasmrod What are next steps here? Do we agree on the first phase and can create tickets? Or do you want to go through a PRODUCT session before creating them?

In any case, can we close this research story?

[zayhanlon]

@sharon-fdm - you can close the research story! no action needed at this time. i will coordinate with product if we decide to proceed

[sharon-fdm]

Thanks @zayhanlon. Will close.

[sharon-fdm]

@lucasmrod Please merge your PR and move this story to 'closed'.

[fleet-release]

FIPS compliance sought, Secure clouds for government, Fleet's reach extends thought.

[zhumo]

Hi @sharon-fdm please make sure this gets into confirm and celebrate.

[fleet-release]

Fleet treads towards FIPS, In clouds, secure data drifts, Peace for government ships.

[ireedy]

C&C: @zayhanlon @zhumo did we de-prioritize? any action need here before we close?

[zayhanlon]

@ireedy no - the timebox scoping work is complete. nothing further is required here

[noahtalerman]

@zayhanlon did we share the findings w/ the customer? If yes, can you please close this issue? Thanks!

[fleet-release]

FIPS compliance quest, Guides Fleet through cloud's vast test, Securing with zest.