FIPS Compliance Validation¶
Validate FIPS 140-2/3 compliance using CBOM Generator.
Overview¶
FIPS 140-2/3 (Federal Information Processing Standards) are U.S. government security standards for cryptographic modules. Many organizations require FIPS compliance for:
- Government contracts
- Financial services
- Healthcare (HIPAA)
- Critical infrastructure
Prerequisites¶
- CBOM Generator installed
- Root access for system scanning
- Understanding of your compliance requirements
Step 1: Scan for FIPS-Certified Libraries¶
Run comprehensive CBOM scan:
./build/cbom-generator \
--discover-services \
--plugin-dir plugins \
--format cyclonedx --cyclonedx-spec 1.7 \
--no-personal-data \
--output fips-assessment.json
Find Libraries with FIPS Status¶
cat fips-assessment.json | jq '.components[] |
select(.type == "library") |
{name, version,
fips_status: [.properties[] | select(.name | contains("fips"))][0].value // "NOT_VALIDATED"}'
Step 2: Identify Non-Compliant Algorithms¶
Find Deprecated Algorithms¶
cat fips-assessment.json | jq '.components[] |
select(.properties[]? | select(.name == "cbom:pqc:status" and .value == "DEPRECATED")) |
{name, reason: [.properties[] | select(.name == "cbom:pqc:rationale")][0].value}'
Check for Banned Algorithms¶
FIPS prohibits certain algorithms:
| Algorithm | Status | Replacement |
|---|---|---|
| MD5 | Banned | SHA-256+ |
| SHA-1 | Deprecated | SHA-256+ |
| DES | Banned | AES |
| 3DES | Limited (2023 cutoff) | AES |
| RC4 | Banned | AES-GCM |
| RSA < 2048 | Banned | RSA-2048+ |
# Find banned algorithms
cat fips-assessment.json | jq '.components[] |
select(.name | test("MD5|DES|RC4|SHA-1"; "i")) |
{name, location: .evidence.occurrences[0].location}'
Step 3: Verify Approved Algorithms¶
FIPS 140-2/3 Approved Algorithms¶
| Category | Approved |
|---|---|
| Symmetric | AES (128, 192, 256) |
| Hash | SHA-256, SHA-384, SHA-512, SHA-3 |
| Signature | RSA (2048+), ECDSA (P-256+) |
| Key Agreement | ECDH, DH (2048+) |
| MAC | HMAC-SHA-256+ |
| KDF | PBKDF2, HKDF |
# Count approved vs non-approved
cat fips-assessment.json | jq '
[.components[] |
select(.cryptoProperties?.assetType == "algorithm") |
if (.name | test("AES|SHA-256|SHA-384|SHA-512|ECDSA|RSA-[2-9][0-9]{3}"; "i"))
then "APPROVED" else "REVIEW" end] |
group_by(.) |
map({status: .[0], count: length})'
Step 4: Check Service Configurations¶
Verify TLS Cipher Suites¶
FIPS-approved TLS cipher suites:
cat fips-assessment.json | jq '.components[] |
select(.["bom-ref"] | startswith("cipher:")) |
select(.name | test("AES.*GCM|AES.*CBC"; "i")) |
.name' | sort | uniq
Check SSH Algorithms¶
cat fips-assessment.json | jq '.components[] |
select(.name | test("ssh|sshd"; "i")) |
{name, ciphers: [.properties[] | select(.name | contains("cipher"))][0].value}'
Step 5: Replace Non-Compliant Algorithms¶
Update OpenSSL Configuration¶
For FIPS mode (OpenSSL 3.0+):
# Enable FIPS provider
sudo nano /etc/ssl/openssl.cnf
Add:
[provider_sect]
default = default_sect
fips = fips_sect
base = base_sect
[fips_sect]
activate = 1
[base_sect]
activate = 1
[default_sect]
activate = 1
Update Application Configurations¶
Ensure services use FIPS-approved algorithms only:
Apache:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
Nginx:
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
Step 6: Validate Compliance¶
Re-run CBOM scan:
./build/cbom-generator \
--discover-services \
--plugin-dir plugins \
--format cyclonedx --cyclonedx-spec 1.7 \
--no-personal-data \
--output fips-after-remediation.json
Generate Compliance Report¶
# Summary statistics
echo "=== FIPS Compliance Summary ==="
echo "Deprecated algorithms:"
cat fips-after-remediation.json | jq '[.components[] |
select(.properties[]? | select(.name == "cbom:pqc:status" and .value == "DEPRECATED"))] | length'
echo "Weak/Unsafe algorithms:"
cat fips-after-remediation.json | jq '[.components[] |
select(.properties[]? | select(.name == "cbom:pqc:status" and .value == "UNSAFE"))] | length'
echo "Approved algorithms:"
cat fips-after-remediation.json | jq '[.components[] |
select(.cryptoProperties?.assetType == "algorithm") |
select(.name | test("AES|SHA-256|SHA-384|SHA-512|ECDSA|RSA-[2-9]"; "i"))] | length'
Step 7: Generate Audit Report¶
Create documentation for auditors:
# Export compliance evidence
cat fips-after-remediation.json | jq '{
scan_date: .metadata.timestamp,
total_components: (.components | length),
libraries: [.components[] | select(.type == "library") | {name, version}],
algorithms: [.components[] | select(.cryptoProperties?.assetType == "algorithm") | .name] | unique,
deprecated_count: [.components[] | select(.properties[]? | select(.name == "cbom:pqc:status" and .value == "DEPRECATED"))] | length,
unsafe_count: [.components[] | select(.properties[]? | select(.name == "cbom:pqc:status" and .value == "UNSAFE"))] | length
}' > fips-audit-report.json
NIST CMVP Certification¶
The NIST Cryptographic Module Validation Program (CMVP) validates cryptographic modules.
Check for Validated Modules¶
Visit: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules
Common validated modules: - OpenSSL FIPS Provider - libgcrypt FIPS mode - AWS-LC FIPS - NSS FIPS mode
Success Criteria¶
- [ ] No deprecated algorithms (MD5, SHA-1, DES, RC4)
- [ ] All RSA keys >= 2048 bits
- [ ] All ECDSA keys >= P-256
- [ ] FIPS-approved cipher suites only
- [ ] FIPS provider enabled (OpenSSL 3.0+)
- [ ] Audit report generated
- [ ] Documentation for compliance evidence
Important Note¶
CBOM Generator provides stub metadata for FIPS certification status. Actual FIPS validation must be verified against the NIST CMVP database and your organization's compliance requirements.