The United States government established the Federal Information Processing Standards (FIPS) as guidelines for the implementation of federal computer systems. They’re developed and maintained by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and are approved by the US Secretary of Commerce. FISMA requires all US government agencies to comply with mandatory FIPS standards.
Although these standards are developed for use by US government agencies, many private sector entities in the US and other countries require compliance with them in order to be considered for purchase.
Load balancers or application delivery controllers (ADCs) are used to connect users to applications securely. In addition to encrypting secure connections to the load balancer for management, these appliances also manage secure connections to both application clients and the servers running the applications. In performing these critical security operations, all LoadMasters (physical, virtual, cloud) in software FIPS mode employ certified cryptography implemented according to strict industry and governmental standards.
Not all cryptography methods are created equal – the level of assurance and effective security they provide varies widely. Bad actors are constantly updating their techniques to take advantage of legacy and obsolete methods still employed by unwary organizations. The FIPS standards specify that compliant systems only use ciphers and algorithms that have been thoroughly tested and approved against the rigorous requirements embodied in the FIPS standards.
Purchasing systems that are certified as FIPS-compliant is vital to the security of your organization’s proprietary information and data, including user data. These standards are designed to apply to any organization that stores, shares, and disseminates unclassified sensitive information, whether the organization deals directly with the US government or not. As a result, these publicly available standards are regarded internationally as the gold standard for strong and reliable data encryption.
FIPS 140-2 and FIPS 140-3 are the current mandatory standards associated with encryption of unclassified information. It’s required by the US Dept of Defense for all information technology purchases. These standards are primarily concerned with three key processes: private key creation and storage, digital signatures, and encryption.
The FIPS 140-2 standard was last updated in 2002. FIPS 140-2 certifications will be valid until September 22, 2026. On that date, all FIPS 140-2 certificates will be moved to “Historical” status and cannot be used to justify purchase of new equipment by US government agencies.
FIPS 140-3 is the successor certification standard that will be required for all computer software and hardware purchased by US agencies after the above date. The LoadMaster team is planning its FIPS 140-3 certification effort and will provide a smooth transition for customers in advance of the above date.
Sign up here to watch the top 5 tips for load balancing today's federal networks delivered by our Federal Solutions Architect, Mike Bomba.
Starting with LMOS 7.2.54.7, LoadMaster software FIPS mode achieves FIPS 140-2 Level 1 by the integration of the OpenSSL 3 FIPS Object Module (FOM). The OpenSSL 3 FOM is a software-based certified encryption module that is compliant with FIPS 140-2 Level 1. The certificate issued to the OpenSSL organization can be viewed here.
LoadMaster incorporated the certified OpenSSL 3 module into its software FIPS mode is in the process of obtaining a rebranded certificate, as shown on the NIST Modules In Process List. Additionally, Progress has also engaged with a certified testing laboratory to add LoadMaster operating environments to the re-branded certificate. The testing is complete and should be submitted for final certification by NIST in 2Q2024.
Note that the OpenSSL 3 FOM is currently available only in 7.2.54.7 and subsequent releases on the 7.2.54.x Long Term Support Feature (LTSF) release branch. Availability in a General Availability (GA) top-of-tree new feature release is planned for later in 2024.
For more information on LMOS 7.2.54.7 and software FIPS mode, please see:
For more general information on FIPS and NIST, and their importance to information security, please see NIST’s FIPS FAQ webpage and other resources on the NIST website.
See how much Kemp Metered Licensing can save you compared to legacy licensing
Use Calculator