Developing and running Linux workloads for U.S. government regulated and high-security environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 certified cryptographic packages of Ubuntu Pro on-premise or on Public Clouds.
U.S Federal agencies and anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors, are required to run workloads with FIPS 140 validated cryptography. FIPS 140 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS), healthcare (HIPAA), and other sectors. Ubuntu Pro provides FIPS 140 certified cryptographic packages.
Developing applications that comply with FIPS 140 can be a challenging task. Validating the used cryptography in-house involves a long and expensive process that requires cryptography expertise and involves reviews from a 3rd party lab and NIST. All these introduce costs and complexity that may delay your launch. Ensure that you ship on time and reduce both validation costs and time by using the Ubuntu validated standard open source packages. The Ubuntu Pro packages are validated on common CPU types and are also available for use on the public cloud.
FIPS 140 ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a laboratory accredited under the NIST’s Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) in the US and CCCS’s Cryptographic Module Validation Program (CMVP) in Canada. Ubuntu Pro provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory.
FIPS 140 is a U.S. and Canada Government data protection standard. It defines security requirements related to the design and implementation of a cryptographic module. The reason for a data protection standard dedicated to cryptography is because cryptography today is omnipresent, and is very hard to get right in a constantly expanding threat model such as today’s Internet. The standard ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a 3rd party. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's National Voluntary Laboratory Accreditation Program (NVLAP) in the US and CCCS's Cryptographic Module Validation Program (CMVP) in Canada.
FIPS 140-2 is required under multiple compliance regimes, such as the Federal Risk and Authorization Management Program (FedRAMP), the Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Learn about the US government security standards and the common challenges faced by organizations in their implementation. See how the Ubuntu Security Guide can transform systems compliance in a few minutes. Get to know how Ubuntu is a secure platform for government agencies and complying organizations to build, operate and innovate with open source applications and technologies.
Contact usFIPS can be enabled on Ubuntu Pro cloud images, while Ubuntu Pro FIPS cloud images simplify the experience as they come preconfigured with FIPS 140 certified packages optimised for the cloud. You can quickly navigate the marketplace to find the FIPS-enabled images below.
Ubuntu Pro FIPS 16.04
Ubuntu Pro FIPS 18.04
Ubuntu Pro FIPS 20.04
Interested in FIPS for container images? Read more on this blog.
The following list contains the FIPS 140 validated components that are available with Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory.
|
Ubuntu 16.04 LTS
on x86-64, IBM Power8 and IBM Z |
Ubuntu 18.04 LTS
on x86-64 and IBM Z |
Ubuntu 20.04 LTS
on x86-64 and IBM Z |
|
|---|---|---|---|
| Linux Kernel (GA) Crypto API | #2962, #3724 |
#3647, #4018, #3664 (AWS),
#3683 (Azure), #3954 (GCP) |
#4366, #4132 (AWS), #4126 (Azure), #4127 (GCP) |
| OpenSSH client | #2907 | #3633 | #4292 |
| OpenSSL | #2888, #3725 | #3622, #3980 | |
| OpenSSH server | #2906 | #3632 | |
| libgcrypt | – | #3748 | #3902 |
| StrongSwan | #2978 | #3648 | #4046 |
Each FIPS 140 certificate is valid for 5 years. However, vulnerabilities happen, and it is our goal to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative options. An option to remain with the certified cryptographic packages (called the 'fips' option), and an option to use the certified packages but include security fixes (called the 'fips-updates' option) when available. Check our documentation pages on how to enable these options.
We strongly recommend enabling the 'fips-updates' option that includes the security fixes. The packages from the 'fips-updates' option are updated to include high and critical security fixes during the whole product lifecycle including the Expanded Security Maintenance (ESM) phase.
Canonical provides Ubuntu Pro subscriptions, which include FIPS, free of charge for individuals on up to 5 machines. For our community of Ubuntu members, we will gladly increase that to 50 machines.
Get a free subscriptionIn September 2021, NIST phased out FIPS 140-2. Certifications under FIPS 140-2 will be moved to the historical list after September 2026 (although these products can still be purchased and used), and new products are expected to be certified under FIPS 140-3. FIPS 140-3 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759. Canonical is preparing Ubuntu for the new certification, and will provide FIPS 140-3 certified cryptographic packages on future LTS releases of Ubuntu, starting with 22.04 Jammy Jellyfish.
