If you need FIPS-validated cryptographic modules for your deployments, you may be aware that these have been turbulent times in the FIPS world. We have seen the introduction of the new FIPS 140-3 standard, with the older 140-2 being phased out (all existing certificates will expire by September 2026 at the latest). The industry has been wrangling with all the new requirements and procedures this process brings. In this post we’ll outline the current situation and how it affects Ubuntu FIPS installations.
Canonical makes FIPS modules available for each LTS release every two years. Due to the length of the certification process, the FIPS modules are released some time after the LTS release date once they have been made compliant, been tested by our independent lab partner, and finally approved. This process typically takes many months (or even years). The most recent active certificates for Ubuntu modules are for 20.04 Focal Fossa LTS.
The new FIPS 140-3 standard brings many new requirements to the table that vendors and manufacturers have to comply with. Many industry players, including Canonical, having been working on their modules to bring them in line with the modern standard, ably assisted by the NIST-accredited testing lab partners, and submit them to CMVP (the Cryptographic Module Validation Program) for certification.
The modules for Ubuntu 22.04 LTS were submitted in September 2023, and are currently available for preview.
There are now over 300 cryptographic modules awaiting CMVP’s approval and at the time of writing just 20 modules have been certified for FIPS 140-3 since the standard was published. This is causing many customers some concern: all existing FIPS 140-2 certificates will move to the Historical List on September 21, 2026, and they would like to have a plan in place to deploy newly-certified modules and keep their businesses running in compliance with national security standards.
In order to more quickly process the modules in their queue, CMVP has announced an interim validation scheme that will apply to modules submitted before January 1, 2024. This is a very exciting development in the world of certified cryptography: it means that customers should be able to consume and deploy FIPS 140-3 modules before the existing 140-2 certificates expire.
We’re very pleased that CMVP have listened to the industry concerns and put this interim scheme in place. It gives everyone a pathway forward to be able to continue to operate IT equipment and services with validated cryptography.
The interim validation scheme relies on rigorous work performed by the network of accredited Cryptography and Security Testing Laboratories. When vendors, such as Canonical, wish to certify their crypto modules, they work in tandem with a testing lab, and the lab performs an extensive and comprehensive set of checks and tests to ensure that the modules perform correctly and fulfil the NIST requirements. The interim validation scheme is placing trust in the testing labs and assumes that they have fully tested each module.
What does this mean for Canonical and the Ubuntu modules? We have requested that the 22.04 LTS modules should be included in this interim scheme, and are working with our testing lab partner, Atsec Information Security, to update the Security Policy documents to Br1 format in order to extend the certificates to a full 5 years.
The modules for our most recent LTS release, 24.04 Noble Numbat, are still in development and have not been submitted for validation yet, and so these will not be eligible for the interim validation program.
We are optimistic that CMVP’s interim validation program will mean that FIPS 140-3 certified cryptography modules for Ubuntu 22.04 LTS will be available soon, initially with a 2-year certification period which will be extended to the full 5 years with a policy update. When this happens, we will make an announcement, and the modules will also become available with the Pro client. In the meantime, you can continue to test the preview modules, and get in touch if you have any questions.
Welcome to the Ubuntu Weekly Newsletter, Issue 868 for the week of November 24 –…
Industrial cybersecurity is on every CISO’s mind as manufacturers strive to integrate their IT and…
Dec 01,2024 Xfce 4.20 Pre2 Released Dear Xfce community, I am happy to announce the…
When you buy a Linux VPS with Bitcoin, you are getting a private virtual server…
Anaconda is a package, dependency function, and environment management. As environment management for programming languages,…
In September we introduced Authd, a new authentication daemon for Ubuntu that allows direct integration…