What you should know about FIPS as a developer
What is FIPS
FIPS, or Federal Information Processing Standards, are public standards developed by the United States federal government. In particular, they are a set of US government standards that specify which cryptographic algorithms allowed for use. There are many versions of FIPS, your code must be compliant at least with version 140-2
What changes should be done in an application
It depends on the FIPS revision (FIPS 140-2, FIPS 140-3, FIPS 200, etc.), but the minimal change set includes:
- Remove the usage of non-approved cryptography. In most cases, this means removing
MD5andSHA-1. - Replace Bouncy Castle jars like
bcprovorbcpgwith FIPS-compliant ones:bc-fips,bcpg-fips, and similar.
How to test these changes
You will need to have an environment where FIPS is enabled (so called FIPS mode). In such an environment, the usage of non-compliant algorithms is prohibited, so the application won't start up or will throw a runtime error. Therefore, extensive testing of the changes will be needed.
To find an example of such an environment, you can look at the existing images where FIPS is enabled.
What about external services
It's not strictly required, but if you are planning to get FIPS certification, it will be necessary for all external services your application interacts with to be running in FIPS mode (e.g., Kafka, Cassandra, etc.).