Is my application "FIPS 140-2" compliant?

Question

Hello,

I run Tomcat on an Amazon EC2 instance. It is Tomcat 8, and I installed it from the standard yum repository that Amazon provides. The machine is a few years old so it might not be a current Amazon Linux release. The version of Java appears to be "OpenJDK 1.8.0_382" and my SSL certificate is issued by "RapidSSL TLS RSA CA G1".

I'm not a security expert. My boss asked me if our system is FIPS 140-2 compliant. I don't really know what that means or how I would go about making this determination. Is it the certificate that determines this, or is it the encryption libraries in Java, or something else? Does it matter what the client is using to connect?

Thanks,
Frank

Answer

Hi,

You have here a list of AWS services that are FIPS-compliant: https://aws.amazon.com/compliance/fips/

As you will see EC2 and its close services (Image Builder, etc.) are FIPS compliant. But, be careful: the compliance of your final global system strongly depends on the way the you configure the AWS services that you use and also how you configure your additional software (Tomcat, etc.)

Have a look at this ppt to understand more about a FIPS certification journey: https://d1.awsstatic.com/events/Summits/awsreinforce2023/DAP323_AWS-LC-FIPS-certification-journey-and-how-its-used-on-AWS.pdf

Best,

Didier

Is my application "FIPS 140-2" compliant?

Relevanter Inhalt