FIPS certified vs compliant: what’s safer?

Encryption is key to protecting sensitive data. There are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components. 

The governments of the United States and Canada have encryption requirements for their own systems, and those used by their vendors. The Federal Information Processing Standard (FIPS) Publication is an evolving standard, currently at version 140-2. FIPS 140-2 states what versions of certified software are suitable for use within all federal agencies and entities that work with these agencies. Ubuntu will support FIPS 140-3 when it is ready, and organisations are looking to implement that standard.

The FIPS standard for cryptographic modules and kernel configurations can serve as a baseline for your encryption and tamper-proofing policies. When embarking on a FIPS implementation, you’ll hear terms like FIPS certified and FIPS compliant – what’s the difference and which one is better?

The difference between FIPS certified and FIPS compliant

A FIPS certified implementation conforms to the FIPS standard, with no security enhancements beyond the bare minimum that is required. In response to a continuously evolving cybersecurity landscape, Canonical’s FIPS compliant implementation uses the FIPS standard as a baseline, and provides security enhancements beyond the standard, certified solution. 

Seeing past preconceptions

To find out whether it’s best to be FIPS certified vs FIPS compliant, let’s consider a hypothetical example from the automotive industry. ISO 26262 is a guideline for functional safety, and is an industry standard for car manufacturers. Assuming two automakers are producing identical cars, except one is ISO 26262 certified and the other is ISO 26262 compliant, which car is more appealing for consumers, and why?

As consumers we know that a certified implementation takes a significant investment in time and money, and implies third party validation of this work. Consumers’ knee-jerk reaction is to assume the compliant implementation may be an attempt to conform to best practices by skipping formal validation, in favour of self-evaluation. The compliant vehicle is viewed as a generic knock-off. The certified vehicle is expected to have desirable attributes the generic can only aspire to have.

While this is true for ISO 26262, is certified always better than compliant? The answer is, not always. Treating the standard as a baseline, and going above and beyond the baseline to mitigate risk, can produce better outcomes. The difference between a compliant implementation and a certified implementation is a strategic decision. 

Having a uniform level of security protects sensitive information, and mitigates risk on any exposed attack surfaces. If your organisation requires a FIPS certified implementation, it’s worth asking about the risks associated with running systems with unpatched vulnerabilities.

Learn more about the trade-offs between FIPS compliant and FIPS certified, and maximising security while minimising risk.

FIPS requirements are satisfied through Ubuntu

FIPS certified Ubuntu and FIPS compliant Ubuntu both qualify as a FIPS validated operating system. Between both offerings, the FIPS requirements for government agencies, their partners, and those wanting to conduct business with the federal government, are satisfied.

Watch our webinar, “Implementing FIPS with maximum security configurations“,  to understand the trade-offs in more detail.

Manage Ubuntu with Landscape

Landscape is Canonical’s monitoring and management tool for Ubuntu which can be deployed anywhere, even as a self-hosted service in air-gapped environments.

Beyond implementing and auditing for FIPS, Landscape also handles security and vulnerability patching, and is an essential component of many organisations’ broader compliance strategies. Self-hosted Landscape is free for limited personal or evaluation use. All machines with an active Ubuntu Pro subscription can use Landscape at no additional cost.

Landscape is included with Ubuntu Pro FIPS on Amazon Web Services and Microsoft Azure, and Ubuntu Pro on Google Cloud Platform.

Learn more about what we do around FIPS compliance here!