Henry Coggill
on 12 June 2024
If you need FIPS-validated cryptographic modules for your deployments, you may be aware that these have been turbulent times in the FIPS world. We have seen the introduction of the new FIPS 140-3 standard, with the older 140-2 being phased out (all existing certificates will expire by September 2026 at the latest). The industry has been wrangling with all the new requirements and procedures this process brings. In this post we’ll outline the current situation and how it affects Ubuntu FIPS installations.
What’s the current situation with FIPS certifications?
Canonical makes FIPS modules available for each LTS release every two years. Due to the length of the certification process, the FIPS modules are released some time after the LTS release date once they have been made compliant, been tested by our independent lab partner, and finally approved. This process typically takes many months (or even years). The most recent active certificates for Ubuntu modules are for 20.04 Focal Fossa LTS.
The existing NIST module queue
The new FIPS 140-3 standard brings many new requirements to the table that vendors and manufacturers have to comply with. Many industry players, including Canonical, having been working on their modules to bring them in line with the modern standard, ably assisted by the NIST-accredited testing lab partners, and submit them to CMVP (the Cryptographic Module Validation Program) for certification.
The modules for Ubuntu 22.04 LTS were submitted in September 2023, and are currently available for preview.
There are now over 300 cryptographic modules awaiting CMVP’s approval and at the time of writing just 20 modules have been certified for FIPS 140-3 since the standard was published. This is causing many customers some concern: all existing FIPS 140-2 certificates will move to the Historical List on September 21, 2026, and they would like to have a plan in place to deploy newly-certified modules and keep their businesses running in compliance with national security standards.
CMVP takes action – Interim Validation
In order to more quickly process the modules in their queue, CMVP has announced an interim validation scheme that will apply to modules submitted before January 1, 2024. This is a very exciting development in the world of certified cryptography: it means that customers should be able to consume and deploy FIPS 140-3 modules before the existing 140-2 certificates expire.
- Interim certificates will be issued that are valid for 2 years
- There is a process to extend that to 5 years via further updates to the Security Policy (so-called Br1)
- CMVP will begin this interim validation process from June 3, 2024
- Interim validation is only intended to process the current backlog, and won’t apply to new module submissions
We’re very pleased that CMVP have listened to the industry concerns and put this interim scheme in place. It gives everyone a pathway forward to be able to continue to operate IT equipment and services with validated cryptography.
The interim validation scheme relies on rigorous work performed by the network of accredited Cryptography and Security Testing Laboratories. When vendors, such as Canonical, wish to certify their crypto modules, they work in tandem with a testing lab, and the lab performs an extensive and comprehensive set of checks and tests to ensure that the modules perform correctly and fulfil the NIST requirements. The interim validation scheme is placing trust in the testing labs and assumes that they have fully tested each module.
Canonical’s FIPS modules
What does this mean for Canonical and the Ubuntu modules? We have requested that the 22.04 LTS modules should be included in this interim scheme, and are working with our testing lab partner, Atsec Information Security, to update the Security Policy documents to Br1 format in order to extend the certificates to a full 5 years.
The modules for our most recent LTS release, 24.04 Noble Numbat, are still in development and have not been submitted for validation yet, and so these will not be eligible for the interim validation program.
Conclusion
We are optimistic that CMVP’s interim validation program will mean that FIPS 140-3 certified cryptography modules for Ubuntu 22.04 LTS will be available soon, initially with a 2-year certification period which will be extended to the full 5 years with a policy update. When this happens, we will make an announcement, and the modules will also become available with the Pro client. In the meantime, you can continue to test the preview modules, and get in touch if you have any questions.