From d5a806babd33c78f4b40081b0bb6a66eb7275869 Mon Sep 17 00:00:00 2001 From: dcs3spp Date: Fri, 2 Aug 2024 15:46:59 +0100 Subject: [PATCH] [DX-1579] Publish FIPS amendments (#5166) approval obtained from Jessica via slack conversation --------- Co-authored-by: Simon Pears --- .../fips-release.md | 33 ++++++++----------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/tyk-docs/content/developer-support/special-releases-and-features/fips-release.md b/tyk-docs/content/developer-support/special-releases-and-features/fips-release.md index 0481c78cf9..181bf250ee 100644 --- a/tyk-docs/content/developer-support/special-releases-and-features/fips-release.md +++ b/tyk-docs/content/developer-support/special-releases-and-features/fips-release.md @@ -31,28 +31,19 @@ in the context of [API management]({{< ref "#importance-of-FIPS-Compliance-in-AP ## Tyk's FIPS Compliance -We are pleased to announce that Tyk Gateway and Pump now offer FIPS compliance. The FIPS Tyk Gateway and the FIPS Tyk -Pump package (together, the *"FIPS Tyk Product"*) is FIPS 140-2 compliant. +We are pleased to announce that Tyk Gateway and Pump now offer a FIPS compliant package (together, the *"FIPS Tyk +Product”*). +FIPS compliance means that the *FIPS Tyk Product* only uses FIPS 140-2 approved algorithms while running in FIPS mode. +However, the product has not been submitted to a [NIST](https://www.nist.gov/federal-information-processing-standards-fips) testing lab for validation. Compliance applies only to special +built packages or docker images of the *FIPS Tyk Product*. These packages and images are not publicly accessible. Please +speak to your assigned account manager for more information. To achieve FIPS compliance, our components are compiled with a FIPS-validated crypto/hashing library. Specifically, Tyk -uses [BoringCrypto](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf), a FIPS-validated crypto/hashing library available for Go. +uses [BoringCrypto](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf), +a FIPS-validated crypto/hashing library available for Go. -**Note:** The use of the *FIPS Tyk Product* is conditional on user accepting any specific terms and conditions applicable to this -feature and a paid license. **Please contact your account manager** if you would like further information - -### The definition of "compliance" -The *FIPS Tyk Product* is designed to be compliant by using only FIPS 140-2 approved algorithms while running in FIPS -mode. It's important to note that while the product adheres to compliance standards, it has not undergone formal -validation by a [NIST](https://www.nist.gov/federal-information-processing-standards-fips) testing lab. This compliance -is specific to specially built packages or docker images of the *FIPS Tyk Product*. - -These packages and images are not publicly accessible. You can request them by contacting your assigned account manager. - -### Verification and Certification - -Tyk's FIPS compliance is based on the use of FIPS 140-2 validated cryptographic modules, specifically the BoringCrypto -module. While the *FIPS Tyk Product* is compliant with FIPS 140-2, it has not undergone formal validation by a NIST -testing lab. +**Note:** The use of the *FIPS Tyk Product* is conditional on user accepting any specific terms and conditions +applicable to this feature and a paid license. Please contact your account manager if you would like further information. ### FIPS-Compliant Cryptographic Operations @@ -76,10 +67,12 @@ Q: What level of FIPS 140-2 compliance does Tyk support? A: Tyk provides FIPS 140-2 compliance, ensuring the use of approved algorithms in FIPS mode. Q: Can I use Tyk in FIPS mode in cloud environments? + A: Yes but only for hybrid gateways deployed on your premise and connecting to the Cloud control plane. Q: Does FIPS mode affect Tyk's performance? -A: There may be a slight performance impact due to the use of FIPS-approved algorithms, but this is generally minimal. + +A: There should be no material impact on performance. ## Importance of FIPS Compliance {#importance-of-FIPS-Compliance}