From ecefcc647f0a8f73c929a4ec355ff84bb141d6de Mon Sep 17 00:00:00 2001 From: Yaroslav Zhuravlev Date: Thu, 18 Sep 2025 10:10:34 +0100 Subject: [PATCH 1/3] FIPS: simplified table, fixed URL. --- content/nginx/fips-compliance-nginx-plus.md | 53 ++++++++++++--------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/content/nginx/fips-compliance-nginx-plus.md b/content/nginx/fips-compliance-nginx-plus.md index 1bd23eb30..5c44b62c1 100644 --- a/content/nginx/fips-compliance-nginx-plus.md +++ b/content/nginx/fips-compliance-nginx-plus.md @@ -25,30 +25,37 @@ Some industries such as finance, healthcare, energy, also adopt FIPS to enhance Currently, both FIPS 140-2 and FIPS 140-3 certifications are accepted. However, FIPS 140-2 is being phased out as part of the [FIPS 140-3 transition plan](https://csrc.nist.gov/projects/fips-140-3-transition-effort). After September 22, 2026, only FIPS 140-3 certifications will be recognized. Organizations are encouraged to migrate to FIPS 140-3 to meet updated cryptographic security requirements. {{}} -| **Program/Regulation/Industry** | **FIPS 140-2/140-3 Requirement** | **Current Status** | -|---------------------------------|----------------------------------|---------------------------------------------------------------------| -| CJIS | 140-2 or 140-3 | FIPS required for systems protecting criminal justice data. | -| CMMC | 140-2 or 140-3 | FIPS required for Levels 2 and 3 compliance. | -| Common Criteria | 140-2 or 140-3 | Evaluations reference both FIPS versions for cryptographic security. | -| Critical Infrastructure | 140-2 or 140-3 | Utilities and systems accept both versions depending on deployments. | -| Department of Veterans Affairs| 140-2 or 140-3 | Both versions used for securing sensitive health and personal data. | -| DFARS | 140-2 or 140-3 | Cryptographic modules for CUI must be FIPS compliant. | -| DoDIN APL | 140-2 or 140-3 | Approved IT products must include FIPS validation. | -| FAA | 140-2 transitioning to 140-3 | 140-2 modules common in existing systems; new systems use 140-3. | -| FERPA | 140-2 or 140-3 | Federal-funded educational systems align with 140-2 or 140-3. | -| FedRAMP | 140-2 or 140-3 | FIPS required for encryption; both versions accepted. | -| FISMA | 140-2 or 140-3 | Both versions accepted; agencies adopt existing 140-2 modules. | -| HIPAA | 140-2 or 140-3 | FIPS ensures encryption for ePHI; both versions are valid. | -| HITECH | 140-2 or 140-3 | FIPS use aligns with encryption best practices for ePHI. | -| Intelligence Community | 140-2 transitioning to 140-3 | Current systems mostly use 140-2; newer systems adopt 140-3. | -| Military & Tactical Systems | 140-2 transitioning to 140-3 | 140-2 used widely; transitioning to 140-3 certifications for future tools.| -| NSA CSfC | 140-2 transitioning to 140-3 | NSA accepts 140-2 but prefers newer certifications under 140-3. | -| Nuclear Regulatory Commission | 140-2 or 140-3 | Cryptography for nuclear systems relies on both versions. | -| PCI DSS | 140-2 or 140-3 | Both versions recommended but not mandatory. | -| State and Local Gov Programs | 140-2 or 140-3 | FIPS required for federal grant-funded security systems. | -| TSA | 140-2 or 140-3 | Best practice for cryptographic protection; both versions accepted. | +| **Sector / Program** | **Version** | **Status** | +|--------------------------------|----------------|---------------| +| **Federal Programs** | | | +| CJIS | 140-2 or 140-3 | Mandatory | +| FedRAMP | 140-2 or 140-3 | Mandatory | +| FISMA | 140-2 or 140-3 | Mandatory | +| DFARS | 140-2 or 140-3 | Mandatory | +| DoDIN APL | 140-2 or 140-3 | Mandatory | +| FAA | 140-2 to 140-3 | Transitioning | +| TSA | 140-2 or 140-3 | Recommended | +| **Defense & Intelligence** | | | +| CMMC | 140-2 or 140-3 | Mandatory | +| Intelligence Community | 140-2 to 140-3 | Transitioning | +| NSA CSfC | 140-2 to 140-3 | Transitioning | +| Military & Tactical Systems | 140-2 to 140-3 | Transitioning | +| **Healthcare & Education** | | | +| HIPAA | 140-2 or 140-3 | Mandatory | +| HITECH | 140-2 or 140-3 | Mandatory | +| Department of Veterans Affairs | 140-2 or 140-3 | Mandatory | +| FERPA | 140-2 or 140-3 | Recommended | +| **Commercial/Private Sector** | | | +| PCI DSS | 140-2 or 140-3 | Recommended | +| Common Criteria | 140-2 or 140-3 | Recommended | +| **Infrastructure & Critical Systems** | | | +| Critical Infrastructure | 140-2 or 140-3 | Recommended | +| Nuclear Regulatory Commission | 140-2 or 140-3 | Recommended | +| **State & Local Government** | | | +| State and Local Gov Programs | 140-2 or 140-3 | Mandatory | {{< /bootstrap-table >}} + ### FIPS compliance in other countries Although FIPS 140 is primarily a North American government cryptographic standard, it is widely recognized as a global benchmark for cryptographic security. Numerous countries outside North America align their cryptographic requirements with FIPS, especially in regulated sectors such as finance, defense, healthcare, and critical infrastructure. @@ -129,7 +136,7 @@ The process uses Red Hat Enterprise Linux (RHEL) release 9.6 as an example and c ### Step 1: Configure the operating system to use FIPS mode {#os-fips-setup} -For the purposes of the following demonstration, we installed and configured a RHEL 9.6 server. The [Red Hat FIPS documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations#sec-Enabling-FIPS-Mode) explains how to switch the operating system between FIPS mode and non‑FIPS mode by editing the boot options and restarting the system. +For the purposes of the following demonstration, we installed and configured a RHEL 9.6 server. The [Red Hat FIPS documentation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening) explains how to switch the operating system between FIPS mode and non‑FIPS mode by editing the boot options and restarting the system. For instructions for enabling FIPS mode on other FIPS‑compliant Linux operating systems, see the operating system documentation, for example: From b440723f21ebf2ca1068e57fd1481541078a6f2b Mon Sep 17 00:00:00 2001 From: yar Date: Thu, 18 Sep 2025 10:49:10 +0100 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Alan Dooley --- content/nginx/fips-compliance-nginx-plus.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/nginx/fips-compliance-nginx-plus.md b/content/nginx/fips-compliance-nginx-plus.md index 5c44b62c1..98a087d10 100644 --- a/content/nginx/fips-compliance-nginx-plus.md +++ b/content/nginx/fips-compliance-nginx-plus.md @@ -24,7 +24,6 @@ Some industries such as finance, healthcare, energy, also adopt FIPS to enhance Currently, both FIPS 140-2 and FIPS 140-3 certifications are accepted. However, FIPS 140-2 is being phased out as part of the [FIPS 140-3 transition plan](https://csrc.nist.gov/projects/fips-140-3-transition-effort). After September 22, 2026, only FIPS 140-3 certifications will be recognized. Organizations are encouraged to migrate to FIPS 140-3 to meet updated cryptographic security requirements. -{{}} | **Sector / Program** | **Version** | **Status** | |--------------------------------|----------------|---------------| | **Federal Programs** | | | @@ -53,7 +52,6 @@ Currently, both FIPS 140-2 and FIPS 140-3 certifications are accepted. However, | Nuclear Regulatory Commission | 140-2 or 140-3 | Recommended | | **State & Local Government** | | | | State and Local Gov Programs | 140-2 or 140-3 | Mandatory | -{{< /bootstrap-table >}} ### FIPS compliance in other countries From 48982becbf5a004147b7b117dec596f4597ce943 Mon Sep 17 00:00:00 2001 From: Yaroslav Zhuravlev Date: Thu, 18 Sep 2025 10:56:05 +0100 Subject: [PATCH 3/3] fix: table tags --- content/nginx/fips-compliance-nginx-plus.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/nginx/fips-compliance-nginx-plus.md b/content/nginx/fips-compliance-nginx-plus.md index 98a087d10..580c47829 100644 --- a/content/nginx/fips-compliance-nginx-plus.md +++ b/content/nginx/fips-compliance-nginx-plus.md @@ -24,6 +24,7 @@ Some industries such as finance, healthcare, energy, also adopt FIPS to enhance Currently, both FIPS 140-2 and FIPS 140-3 certifications are accepted. However, FIPS 140-2 is being phased out as part of the [FIPS 140-3 transition plan](https://csrc.nist.gov/projects/fips-140-3-transition-effort). After September 22, 2026, only FIPS 140-3 certifications will be recognized. Organizations are encouraged to migrate to FIPS 140-3 to meet updated cryptographic security requirements. +{{< table >}} | **Sector / Program** | **Version** | **Status** | |--------------------------------|----------------|---------------| | **Federal Programs** | | | @@ -52,13 +53,13 @@ Currently, both FIPS 140-2 and FIPS 140-3 certifications are accepted. However, | Nuclear Regulatory Commission | 140-2 or 140-3 | Recommended | | **State & Local Government** | | | | State and Local Gov Programs | 140-2 or 140-3 | Mandatory | - +{{< /table >}} ### FIPS compliance in other countries Although FIPS 140 is primarily a North American government cryptographic standard, it is widely recognized as a global benchmark for cryptographic security. Numerous countries outside North America align their cryptographic requirements with FIPS, especially in regulated sectors such as finance, defense, healthcare, and critical infrastructure. -{{}} +{{< table >}} | Country/Region | FIPS Use | |----------------|-----------------------------------------------------------------------------| | Australia | Referenced for government, defense, and cryptography systems. | @@ -79,7 +80,7 @@ Although FIPS 140 is primarily a North American government cryptographic standar | UAE | Trusted in finance, energy, and interoperability with the U.S. cryptography.| | United Kingdom | Referenced for defense, health, and procurement standards. | | United States | Mandatory for federal government systems and contractors. | -{{< /bootstrap-table >}} +{{< /table >}} ## FIPS compliant vs FIPS validated