2025-08-01
With the recent approval of the FedRAMP Policy for Cryptographic Module Selection v1.1.0, we are aligning our support of FIPS-certified modules to reflect these updated compliance practices, by providing an “update stream” for our FIPS modules in order to allow users to update as soon as a patch for a CVE or other issue becomes available.
It is now permissible to deploy patch versions of a FIPS-validated module without breaking compliance, as long as the cryptographic functions remain unchanged.
This change enables a more agile and secure update model, especially when vulnerabilities are discovered in existing validated modules. As FedRAMP Policy notes:
“...update streams are encouraged by this policy to ensure that remedies for known vulnerabilities are deployed quickly and that use of effective cryptography is encouraged where it is needed.” (Section 1)
While this announcement is primarily directed at our FedRAMP users, we hope the new FedRAMP policy will also encourage our other users to make use of the patch releases as they become available.
As a release is published to the update stream, we will continue to work with our testing lab to ensure that releases pushed to the update stream will also be the source for releases with formal validation which we will continue to publish on what is now known as our “validation stream”.
Learn more about the release: Bouncy Castle Java FIPS 2.1.1 release notes.
Download BC-FJA 2.1.1 from Maven
Download BC-FJA 2.1.1 from BouncyCastle.org