1. Home
  2. /
  3. About
  4. /
  5. FIPS FAQ

FIPS FAQ

We have put together this FAQ to address specific queries related to the FIPS versions of the Bouncy Castle Cryptographic APIs.

Bouncy Castle prophet
hero-sub-2

Find your answers

The FAQ covers general FIPS inquiries, as well as those specifically concerning the Java FIPS version and the C# .NET version. Moreover, if you are considering certification and require assistance, we offer a list of individuals and organizations we have collaborated with, including FIPS consultants and FIPS-accredited labs.

General Questions

Java FIPS Questions

C# .NET FIPS Questions

FIPS Consultants and accredited Labs

General Questions

What is a FIPS certified Cryptographic API like Bouncy Castle and when do I need it?

A FIPS (Federal Information Processing Standards) certified Cryptographic API, such as the one provided by Bouncy Castle, refers to a cryptographic library that has been validated against the standards set forth by the National Institute of Standards and Technology (NIST) in the United States. These standards ensure that cryptographic algorithms and modules meet specific security requirements, making them suitable for use in government and sensitive commercial applications.

Bouncy Castle's FIPS-certified Cryptographic API offers a high level of assurance regarding the security and reliability of cryptographic operations. Previously certified to FIPS 140-2, the Bouncy Castle APIs now adhere to the stringent guidelines outlined in the FIPS 140-3 standard which is recognized internationally for its rigorous testing and validation procedures.

You may need to use Bouncy Castle FIPS certified Cryptographic APIs in scenarios where regulatory compliance or security mandates dictate the use of validated cryptographic modules. For instance, if you’re developing software for government agencies, financial institutions, or healthcare organizations that are subject to regulatory frameworks.

Additionally, industries with stringent security needs, such as defense, aerospace, and critical infrastructure, often require the use of FIPS-validated cryptographic modules.

How to do I join the early access program?

What extras do I get with the early access program?

We want to do a private validation of some, or all, of the APIs, what do we do?

When we told our developers about our plans to do a certification, they disappeared into the server room and didn't come out! We think they're hiding under the floor, is there anyone who can help?

Our developers are already experienced but we do not have an existing relationship with a testing lab, are there any you have worked with?

So you really are funding this effort with a mixture of support contracts, donations, and sponsorships?

Are there any other compelling reasons for getting a support contract?

I am still not quite there with the support contract, can I still report an issue?

Java FIPS Questions

What are the current release details for the Bouncy Castle FIPS certified APIs for Java?

The most recent release for the Bouncy Castle FIPS module for Java is 2.0.0 and labeled BC-FJA 2.0.0. BC-FJA 2.0.0 has been issued NIST certificate #4743.

Where can I find the Bouncy Castle FIPS certified APIs for Java?

What JVMs are the APIs currently certified for?

Are there any versions for Android?

Is there a roadmap for future Java FIPS releases?

C# .NET FIPS Questions

What are the current release details for the Bouncy Castle FIPS certified APIs for C# .NET?

The most recent release for the Bouncy Castle FIPS module for C# .NET is 1.0.2 and labeled BC-FNA 1.0.2. BC-FNA 1.0.2 has been issued NIST certificate #4416.

Where can I find the Bouncy Castle FIPS certified APIs for C# .NET?

What Common Language Runtime (CLR) are APIs for C# .NET targeted at?

Is there a roadmap for future C# .NET releases?

FIPS CONSULTANTS AND ACCREDITED LABS 

This is the current list of people/organisations we've worked with at some level. The main thing they have in common is they've shown the sensibility (and even humor) required to work with an Open Source effort like Bouncy Castle and regimes like that of FIPS 140-2, FIPS 140-3 and Common Criteria. 

If you are trying to work out the ordering, the list is alphabetical. If you would like to be on the list and you are not, contact us at office@bouncycastle.org. Putting the list together proved trickier than we thought, we apologize in advance if we've left someone off who should be on it. 

FIPS Consultants

Corsec Security, Inc.

Contact:
Jake Nelson
jnelson@corsec.com

Corsec Security, Inc.
13921 Park Center Rd #460,
Herndon, VA 20171
United States of America

KeyPair Consulting

Contact:
Mark Minnoch
mark@keypair.us

KeyPair Consulting
987 Osos Street
San Luis Obispo, CA 93401
United States of America

Symbiotic Systems Research

Contact:
Randall Steck
rsteck@symsysresearch.com

Symbiotic Systems Research
5618 Bloomfield Drive, Suite #1
Alexandria, VA 22312
United States of America

FIPS Accredited Labs