Patch Releases Now Permitted for FIPS-Certified Bouncy Castle Java and C# .NET

With the recent approval of the FedRAMP Policy for Cryptographic Module Selection v1.1.0, we are aligning our support of FIPS-certified modules to reflect these updated compliance practices, by providing an “update stream” for our FIPS modules in order to allow users to update as soon as a patch for a CVE or other issue becomes available.

What is new:

It is now permissible to deploy patch versions of a FIPS-validated module without breaking compliance, as long as the cryptographic functions remain unchanged.

This change enables a more agile and secure update model, especially when vulnerabilities are discovered in existing validated modules. As FedRAMP Policy notes:
“...update streams are encouraged by this policy to ensure that remedies for known vulnerabilities are deployed quickly and that use of effective cryptography is encouraged where it is needed.” (Section 1)

What This Means for Bouncy Castle FIPS users:

• We are now publishing patch versions of FIPS-certified Bouncy Castle modules, starting with Java FIPS 2.1.1.
• These patches will include fixes to CVEs and other issues which are supported within FedRAMP’s “update stream” model.
• This shift enables organizations to stay secure while remaining compliant—a positive evolution for modern DevSecOps practices.

While this announcement is primarily directed at our FedRAMP users, we hope the new FedRAMP policy will also encourage our other users to make use of the patch releases as they become available.

As a release is published to the update stream, we will continue to work with our testing lab to ensure that releases pushed to the update stream will also be the source for releases with formal validation which we will continue to publish on what is now known as our “validation stream”.

Learn more about the release: Bouncy Castle Java FIPS 2.1.1 release notes.

Download BC-FJA 2.1.1 from Maven 

Download BC-FJA 2.1.1 from BouncyCastle.org