Support FIPS-140-3 encryption standard

[dherder]

Problem

Complete implementation documented / sized in the following proposal: https://github.com/fleetdm/fleet/blob/main/proposals/fips/fleet-server-fips.md

[noahtalerman]

Support FIPS-140-3 encryption standard

@dherder why? What's the business case here?

[dherder]

@noahtalerman it is a requirement for the prospects on this issue. @KAB703 can add more context I believe.

[KAB703]

All US Federal agencies require FIPS 140-3 and SCAP 1.3. DOD requires the STIG.

[noahtalerman]

Zach: Low upfront cost. High maintenance cost.

[ireedy]

Bringing this back to feature fest. We are currently going through the process to become CDM compliant. To qualify, Fleet must meet the following:

• CMN-6-1: When encryption is required, encrypt transmitted sensitive information with FIPS-140-2 or FIPS 140-3
• CMN-6-2: When encryption is required, encrypt stored sensitive information with FIPS-140-2 or FIPS 140-3

Being recognized as CDM compliant is important as most federal government contracts, particularly in the cybersecurity and IT space, require it. We risk not being considered for federal opportunities if we are not compliant.

[noahtalerman]

We risk not being considered for federal opportunities if we are not compliant.

Thanks @ireedy!

Hey @alexmitchelliii do we have any order forms out to federal prospects?

[alexmitchelliii]

@noahtalerman I think we are going to have to bypass the order form out requirement to prioritize this issue because we won't be able to start any federal sales cycles without having it. So the priority call is whether we want to build any federal pipeline now vs other priorities.

[noahtalerman]

@alexmitchelliii: the big opportunities are to replace BigFix, not Jamf.

@noahtalerman: Got it. Not completing the work/testing yet while we're focused on Jamf parity.

cc @ireedy

[noahtalerman]

VA page on Jamf compliance: https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=10822&tab=2&minYear=2022