FIPS Frequently Asked Questions and Resources

Welcome to our FIPS FAQ and Resources Page.

Frequently Asked Questions

General Questions

  1. Q 1. How to do I join the early access program?
     
    In general the best way to join is by getting a support contract, if you are specifically interested in a particular release, early access is also provided to people donating 10000 USD or more to sponsor the release. Sponsors are also provided with bragging rights if they want them.

  2. Q 2. What extras do I get with the early access program?
     
    Apart from access to the latest source of the FIPS API as it evolves and the right to use it, you also get access to the full source for both the CAVP and operations test harnesses, the original documentation, and some various other tools we have found useful.

  3. Q 3. We want to do a private validation of some, or all, of the APIs, what do we do?
     
    You will need a support contract and to pay a rebrand fee. This will give you an authority letter for NIST granting permission to do the rebrand, access to consulting time for any issues you might have, as well as all the features of the early access program. Speak to your lab, if you don't have a lab already, or are unsure what to do next, read on.

  4. Q 4. When we told our developers about our plans to do a certification, they disappeared into the server room and didn't come out! We think they're hiding under the floor, is there anyone who can help?
     
    Yes, see our list of FIPS consultants. After you have selected one, the news you are getting some help, plus the smell of freshly brewed coffee is normally enough to get people back into the light.

  5. Q 5. Our developers are already experienced but we do not have an existing relationship with a testing lab, are there any you have worked with?
     
    Yes, see our list of FIPS accredited testing labs.

  6. Q 6. So you really are funding this effort with a mixture of support contracts, donations, and sponsorships?
     
    Yep. We're a legion and diversity is strength!

  7. Q 7. Are there any other compelling reasons for getting a support contract?
     
    As it happens there are. We have found two things that distinguish our support contract holders from our regular user base. Developers with access to a support contract are more likely to raise an issue with us early rather than try and muddle through, and developers with access to a support contract also take a more active interest in the beta releases, both FIPS and non-FIPS. The second one is useful as it means any issues or shortfalls in the beta are able to be fixed while the updates are still in beta. The first one is a real cost saver as it does not lead to us receiving emails starting with "Our development team has spent (some number of) weeks trying to work out..." It is much cheaper to have a support contract!

  8. Q 8. I am still not quite there with the support contract, can I still report an issue?
     
    Sure. Please comtact us on feedback-crypto@bouncycastle.org We can also provide a PGP key if you believe the issue is a security concern or otherwise requires it.

Java Related Questions

  1. Q 1. What are the current release details for the Bouncy Castle FIPS certified APIs for Java?
     
    The most recent release for the Bouncy Castle FIPS module for Java is 1.0.2.4 and labeled BC-FJA 1.0.2.4. BC-FJA 1.0.2.4 has been issued NIST certificate #4616

  2. Q 2. Where can I find the Bouncy Castle FIPS certified APIs for Java?
     
    The current and previous Java FIPS releases are at https://www.bouncycastle.org/fips-java

  3. Q 3. What JVMs are the APIs currently certified for?
     
    The current APIs are certified for Java 1.7, Java 1.8, and Java 1.11.

  4. Q 4. Are there any versions for Android?
     
    FIPS on Android is a little complex - the FIPS module needs to be installed on the device in order for all the start up tests to be run correctly. Based on the widely respected "org.spongycastle" trick, we have actual FIPS modules in the package "org.stripycastle" for Lollipop, Marshmallow, Nougat, and Oreo.

    We also have an "org.spongycastle" packaging with some start up tests disabled that can used in an application. Note: this last one is FIPS derived not FIPS compliant.

    The Android releases are currently only available under the early access program.

  5. Q 5. Is there a roadmap for future Java releases?
     
    Yes, you can find some more details on our Java FIPS roadmap page.

C# .NET Related Questions

  1. Q 1. What are the current release details for the Bouncy Castle FIPS certified APIs for C# .NET?
     
    The most recent release for the Bouncy Castle FIPS module for C# .NET is 1.0.2 and labeled BC-FNA 1.0.2. BC-FNA 1.0.2 has been issued NIST certificate #4416

  2. Q 2. Where can I find the Bouncy Castle FIPS certified APIs for C# .NET?
     
    The current and previous C# .NET FIPS releases are at https://www.bouncycastle.org/fips-csharp

  3. Q 3. What Common Language Runtime (CLR) are APIs for C# .NET targeted at?
     
    The base CLR for the C# .NET FIPS is CLR 4.

  4. Q 4. Is there a road map for future C# .NET releases?
     
    Yes, you can find some more details on our C# .NET FIPS roadmap page.

FIPS Consultants and Accredited Labs

This is the current list of people/organisations we've worked with at some level. The main thing they have in common is they've shown the sensibility (and even humor) required to work with an Open Source effort like Bouncy Castle and regimes like that of FIPS 140-2 and Common Criteria.

If you are trying to work out the ordering, the list is alphabetical. If you would like to be on the list and you are not, contact us at office@bouncycastle.org. Putting the list together proved trickier than we thought, we apologize in advance if we've left someone off who should be on it.

FIPS Consultants

Corsec Security, Inc.

Contact: Jake Nelson
jnelson@corsec.com

Corsec Security, Inc.
13921 Park Center Rd #460,
Herndon, VA 20171
United States of America

KeyPair Consulting

Contact: Mark Minnoch
mark@keypair.us

KeyPair Consulting
987 Osos Street
San Luis Obispo, CA 93401
United States of America

Symbiotic Systems Research

Contact: Randall Steck
rsteck@symsysresearch.com

Symbiotic Systems Research
5618 Bloomfield Drive, Suite #1
Alexandria, VA 22312
United States of America

FIPS Accredited Labs

Acumen Security

Contact: Josh Kolstad
joshua.kolstad@intertek.com

Laboratory Manager,
Acumen Security
18504 Office Park Dr
Montgomery Village, MD 20886
United States of America

ADVANCED DATA SECURITY

Contact: Eugene Polulyakh
ep@adseclab.com

Laboratory Director
ADVANCED DATA SECURITY
1933 O'Toole Way
San Jose, CA 95131
United States of America

ÆGISOLVE, INC.

Contact: Travis Spann
tspann@aegisolve.com

Laboratory Director
ÆGISOLVE, INC.
415 Fairchild Dr.
Mountain View, CA. 94043
United States of America

Lightship Security, Inc.

Contact: Jason Lawlor
jason.lawlor@lightshipsec.com

Lightship Security
302 - 135 Rideau Street,
Ottawa, ON K1N 5X4
Canada

Teron Labs

Contact: Juan Gonzalez
juan@teronlabs.com

Laboratory Director
Teron Labs
Unit 3, 10 Geils Court
Deakin, ACT 2600
Australia

UL

Contact: Gerrit Kruitbosch
Gerrit.Kruitbosch@ul.com

UL - InfoGard Laboratories
709 Fiero Lane, Suite 25
San Luis Obispo, CA 93401
United States of America