Everywhere that this article refers to FIPs, simply replace with NIST - and the same logic applies.

GCP uses something called Boring SSL. Boring SSL was submitted to NIST and checked for FIPS-140-2 compliance. It is, hence, a validated FIPS module.

What does that mean?

FIPS validated simply says, at some point in time, this module was validated. This does NOT mean that your end to end solution on GCP will be FIPS compliant.

It DOES mean that it is PARTLY compliant, and the Boring SSL piece IS compliant.

However, in addition to the boring SSL, to truly ensure FULL compliance at the OS level, one needs to run a flavor of linux in FIPS compliant mode.

FIPS Validation versus FIPS Compliance FIPS Validation means a product has undergone and passed detailed conformance testing at an accredited national laboratory.

FIPs Compliance means that different components of a product have received FIPS validation, but the product in its entirety has not passed testing or has not been tested at all.

In order to operate using only FIPS-validated implementations:

  • Google’s Local SSD storage product is automatically encrypted with NIST approved ciphers, but Google's current implementation for this product doesn’t have a FIPS 140-2 validation certificate. If you require FIPS-validated encryption on Local SSD storage, you must provide your own encryption with a FIPS-validated cryptographic module.
  • Google automatically encrypts traffic between VMs that travels between Google data centers using NIST-approved encryption algorithms, but this implementation does not have a FIPS validation certificate. If you require this traffic to be encrypted with a FIPS-validated implementation, you must provide your own.
  • When your clients connect to Google infrastructure, their TLS clients must be configured to require use of secure FIPS-compliant algorithms; if the TLS client and GCP's TLS services agree on an encryption method that is incompatible with FIPS, a non-validated encryption implementation will be used.

Summary

FIPS Compliance isn't the same as FIPS validated. Although  FIPs validation is greater than compliance (validation means the encryption libraries were actually examined by NIST and approved), it does not guarantee a fully compliant solution.

Need a hands-on, GCP Consultant?

Need help with your GCP journey? Start the conversation today.