FIPS 140 Requirements

The National Institute of Standards and Technology (NIST) issues the Federal Information Processing Standard (FIPS) Publication Series 140 to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States and Canadian governments to protect sensitive information.

FIPS 140 Compliance

Cloud Service Providers (CSPs) are required to implement FIPS security control to satisfy the requirements of Cloud computing for the US and Canadian governments as well as their contractors and vendors. The FIPS publication 140 stipulates that if encryption is employed as a mechanism to meet a security requirement, it must be FIPS validated under the Cryptographic Module Validation Program (CMVP). 

The most recent FIPS Publication Series 140 from 2020 is a third revision, commonly referred to as FIPS 140-3. NIST is in the middle of a transition roadmap for migration from the FIPS 140-2 to 140-3 standard, and Google is committed to this transition. Since September 2022, all of Google's FIPS 140 submissions for new modules have been under the 140-3 standard. Google's core software module, BoringCrypto, has received a FIPS 140-3 certificate (#5104). Certifications issued under the FIPS 140-2 standard remain valid and acceptable for federal compliance programs until their expiration date.

Google Cloud FIPS 140 Compliance

Data at rest in Google Cloud is protected with FIPS 140–validated modules. Google automatically encrypts traffic between VMs that travels between Google data centers using FIPS-validated encryption.

Data in transit in Google Cloud is processed by FIPS 140–validated modules; for example, this includes SSH connections, data center traffic, service-to-service connections, and external interfaces (using TLS 1.2 or higher). To ensure a FIPS 140–validated connection, customers must ensure that machines connecting to Google Cloud are configured to use certified encryption modules. Customers are advised to use TLS 1.2 or higher to ensure a FIPS 140–validated connection.

In accordance with FedRAMP Policy for Cryptographic Module Selection and Use, Google utilizes the update stream containing the latest patches and updates to be applied to software, regardless of the FIPS validation status of the updated software. Google retains artifacts demonstrating that updated major versions are submitted to the Cryptographic Module Validation Program (CMVP) within six months of release and provides visibility into cryptographic module use (including versions) as part of its continuous monitoring program per SI - (2). For more information on Google Cloud’s cryptographic module control implementations, please reach out to our sales team or your Google Cloud representative can help provide access to our FedRAMP documentation. Government customers may also request Google’s FedRAMP package through the FedRAMP Program Management Office using its package request form.

Google consistently implements this policy, applying the update stream model to other directives that require FIPS cryptographic certification for example: CJIS, ITAR, DoD IL4 and IL5, IRS 1075, JISF, and Protected B.

Note: Customer applications built and operating on Google Cloud might include their own cryptographic implementations; in order for the data they process to be secured with a FIPS-validated cryptographic module, customers must integrate such an implementation.