FIPS 140-2 is a standard published by the National Institute of Standards and Technology (NIST)[1]. NIST also established the Cryptographic Module Validation Program (CMVP)[2] that validates cryptographic modules to the FIPS 140-2 standard. Vendors seek validation for their cryptographic modules in order to provide assurance that their encryption solutions are properly implemented to an accepted standard.
A cryptographic module that has already been issued a FIPS 140-2 validation certificate may be incorporated or embedded into another product. [3]
In order to use a validated cryptographic module and attest FIPS 140-2 validation, the new product must:
CFEngine attests to NIST certificate number 1111.
These validations were not initiated by CFEngine, but any user of this Open Source software module can use them provided we follow the instructions in the security policy.
The current FIPS 140-2 Crypto Policy Officer for CFEngine resides at CFEngine AS/Inc headquarters. The security officer attests that packages provided by CFEngine, on the customer download site software.CFEngine.com, whose names contain the term FIPS in upper or lower case have been compiled according to the security policy for certificate 1111 [5]. CFEngine packages, marked FIPS, have been built from source code located at:
http://www.openssl.org/source/openssl-fips-1.2.tar.gz
according to the security policy documented in [6]. CFEngine can provide compliant software on all Unix-like platforms, but not currently on Windows.
CFEngine uses OpenSSL encryption code from the libcrypto library. It does not use any SSL or TLS specific modules. CFEngine uses RSA encryption for authentication. Commercial versions of CFEngine use AES-256 symmetric encryption with a random session key for transport.
It is CFEngine's policy to obtain a private validation of the OpenSSL crypto module at some time in the next two years for the principal purpose of branding. This is a long process and does not alter the specification of the software in any way.