FIPS Frequently Asked Questions and Resources

Welcome to our FIPS FAQ and Resources Page.

Frequently Asked Questions

General Questions

  1. Q 1. How to do I join the early access program?
     
    In general the best way to join is by getting a support contract, if you are specifically interested in a particular release, early access is also provided to people donating 5000 USD or more to sponsor the release. Sponsors are also provided with bragging rights if they want them.

  2. Q 2. What extras do I get with the early access program?
     
    Apart from access to the latest source of the FIPS API as it evolves and the right to use it, you also get access to the full source for both the CAVP and operations test harnesses, the original documentation, and some various other tools we have found useful.

  3. Q 3. We want to do a private validation of some, or all, of the APIs, what do we do?
     
    Get a support contract. This will give you access to consulting time for any issues you might have, as well as all the features of the early access program. Speak to your lab, if you don't have a lab already, or are unsure what to do next, read on.

  4. Q 4. When we told our developers about our plans to do a certification, they disappeared into the server room and didn't come out! We think they're hiding under the floor, is there anyone who can help?
     
    Yes, see our list of FIPS consultants. After you have selected one, the news you are getting some help, plus the smell of freshly brewed coffee is normally enough to get people back into the light.

  5. Q 5. Our developers are already experienced but we do not have an existing relationship with a testing lab, are there any you have worked with?
     
    Yes, see our list of FIPS accredited testing labs.

  6. Q 6. So you really are funding this effort with a mixture of support contracts, donations, and sponsorships?
     
    Yep. We're a legion and diversity is strength!

  7. Q 7. Are there any other compelling reasons for getting a support contract?
     
    As it happens there are. We have found two things that distinguish our support contract holders from our regular user base. Developers with access to a support contract are more likely to raise an issue with us early rather than try and muddle through, and developers with access to a support contract also take a more active interest in the beta releases, both FIPS and non-FIPS. The second one is useful as it means any issues or shortfalls in the beta are able to be fixed while the updates are still in beta. The first one is a real cost saver as it does not lead to us receiving emails starting with "Our development team has spent (some number of) weeks trying to work out..." It is much cheaper to have a support contract!

Java Related Questions

  1. Q 1. Where can I find the Bouncy Castle FIPS certified APIs for Java?
     
    The current and previous Java FIPS releases are at https://www.bouncycastle.org/fips-java

  2. Q 2. What JVMs are the APIs currently certified for?
     
    The current APIs are certified for Java 1.7 and Java 1.8.

  3. Q 3. Are there any versions for Android?
     
    We have versions using the widely respected "org.spongycastle" trick for Lollipop, Marshmallow, and Nougat. These are currently only available under the early access program.

  4. Q 4. Is there a roadmap for future Java releases?
     
    Yes, you can find some more details on our Java FIPS roadmap page.

C# .NET Related Questions

  1. Q 1. Where can I find the Bouncy Castle FIPS certified APIs for C# .NET?
     
    The current and previous C# .NET FIPS releases are at https://www.bouncycastle.org/fips-csharp

  2. Q 2. What Common Language Runtime (CLR) are APIs for C# .NET targeted at?
     
    The base CLR for the C# .NET FIPS is CLR 4.

  3. Q 3. Is there a road map for future C# .NET releases?
     
    Yes, you can find some more details on our C# .NET FIPS roadmap page.

FIPS Consultants and Accredited Labs

This is the current list of people/organisations we've worked with at some level. The main thing they have in common is they've shown the sensibility (and even humor) required to work with an Open Source effort like Bouncy Castle and regimes like that of FIPS 140-2 and Common Criteria.

If you are trying to work out the ordering, the list is alphabetical. If you would like to be on the list and you are not, contact us at office@bouncycastle.org. Putting the list together proved trickier than we thought, we apologize in advance if we've left someone off who should be on it.

FIPS Consultants

KeyPair Consulting

Contact: Mark Minnoch
mark@fips.pro

KeyPair Consulting
872 Higuera Street
San Luis Obispo, CA 93401
United States of America

Symbiotic Systems Research

Contact: Randall Steck
rsteck@symsysresearch.com

Symbiotic Systems Research
5618 Bloomfield Drive, Suite #1
Alexandria, VA 22312
United States of America

FIPS Accredited Labs

Acumen Security

Contact: Ryan Thomas
rthomas@acumensecurity.net

Laboratory Manager, CISSP, CISA
Acumen Security
18504 Office Park Dr
Montgomery Village, MD 20886
United States of America

CGI Global IT Security Labs

Contact: Jason Cunningham
jason.cunningham@cgi.com

Program Manager, FIPS 140
CGI Global IT Security Labs - Canada
1410 Blair Place, 7th floor
Ottawa, ON K1J 9B9
Canada

InfoGard, a UL Company

Contact: Marc Ireland
Marc.Ireland@ul.com

FIPS Program Manager, CISSP
InfoGard Laboratories
709 Fiero Lane, Suite 25
San Luis Obispo, CA 93401
United States of America