FIPS Validated vs FIPS compliant

I am an assessor trying to get some insight into whether the Bouyant.io containers are FIPS validated or compliant. I found a page that mentions there is/are FIPS 140-2/3 CMVP(s) for Bouyant.io but it says “compliant” or in “compliance” with FIPS 140-2/3. So…I wanted to get clarification in that area because these are fundamentally different in that you can run a FIPS compliant configuration while not using FIPS validated cryptographic modules, and if it is FIPS validated you may want to change the way it is advertised to avoid confusion among FedRAMP seeking CSPs, Assessors, and others associated with the FedRAMP program.

Thank you very much @andy.rogers , we looked into this and based on your feedback and some further research and validation, we are updating the language on the website and docs.

Our FIPS builds of Buoyant Enterprise for Linkerd do use FIPS validated cryptographic libraries (with CMVP certificates) for all encryption, and use them in accordance with the Security Policy in the certificate. We’re updating the language to reflect this and to not muddy the waters with “compliant”. Appreciate the feedback!

1 Like