How are you able to use AWS ELBs when they are not FIPS compliant?
seanorama opened this issue · 2 comments
My understanding is that FedRAMP authorization requires "FIPS 140-2", but:
"Elastic Load Balancing SSL is not FIPS 140-2" https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-elb.html
However, your docs indicate the user of ELB for TLS connections: https://cloud.gov/docs/compliance/domain-standards/#ssltls-implementation
Can you clarify how this is possible, considering the NIST & FedRAMP requirements for "FIPS 140-2"
Great question, @seanorama
To answer the "how this is possible?" part involves some tea leaf reading, but it seems that FedRAMP today is taking a much harder line on FIPS 140-2 validated cryptography than they did 5 years ago.
So cloud.gov and other earlier-authorised CSPs are not running on fully FIPS-validated stacks -- which you've probably noted. We were not required to be fully FIPS-140 initially, and we're now on a path to full FIPS 140 in coming months/years (it's not a short journey, as you're also likely aware).
As far as I can tell, FIPS 140 is now a hard requirement to start the FedRAMP authorization process.
I may be pulling together a community of practice for small-CSP compliance officers, if you're interested, please email me at cloud-gov-compliance@gsa.gov and I'll let you know when we get that started.
Also, if you're actually asking about what plans we have, if any, to provide routing and TLS with FIPS 140, I can help there but not in an open forum.
@seanorama If you have further thoughts/research on FIPS-140, you may want to comment on https://github.com/cloud-gov/private/issues/1217 or cloud-gov/product#2346 -- Thanks!