FIPS certified vs compliant: what’s safer?

Rajan Patel

on 30 August 2022

This article was last updated 1 year ago.


Encryption is key to protecting sensitive data. There are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components. 

The governments of the United States and Canada have encryption requirements for their own systems, and those used by their vendors. The Federal Information Processing Standard (FIPS) Publication is an evolving standard, currently at version 140-2. FIPS 140-2 states what versions of certified software are suitable for use within all federal agencies and entities that work with these agencies. Ubuntu will support FIPS 140-3 when it is ready, and organisations are looking to implement that standard.

The FIPS standard for cryptographic modules and kernel configurations can serve as a baseline for your encryption and tamper-proofing policies. When embarking on a FIPS implementation, you’ll hear terms like FIPS certified and FIPS compliant – what’s the difference and which one is better?

The difference between FIPS certified and FIPS compliant

A FIPS certified implementation conforms to the FIPS standard, with no security enhancements beyond the bare minimum that is required. In response to a continuously evolving cybersecurity landscape, Canonical’s FIPS compliant implementation uses the FIPS standard as a baseline, and provides security enhancements beyond the standard, certified solution. 

How are FIPS Certified and FIPS Compliant implementations different? What makes the most sense for your organisation? The answer may surprise you.

Seeing past preconceptions

To find out whether it’s best to be FIPS certified vs FIPS compliant, let’s consider a hypothetical example from the automotive industry. ISO 26262 is a guideline for functional safety, and is an industry standard for car manufacturers. Assuming two automakers are producing identical cars, except one is ISO 26262 certified and the other is ISO 26262 compliant, which car is more appealing for consumers, and why?

If a hypothetical certified standard for cars mandates a metal body and 4 wheels, both cars above conform to the standard. The car on the left is certified, with strict conformance. The car on the right treats the certified standard as a baseline, and goes beyond that minimum.

As consumers we know that a certified implementation takes a significant investment in time and money, and implies third party validation of this work. Consumers’ knee-jerk reaction is to assume the compliant implementation may be an attempt to conform to best practices by skipping formal validation, in favour of self-evaluation. The compliant vehicle is viewed as a generic knock-off. The certified vehicle is expected to have desirable attributes the generic can only aspire to have.

While this is true for ISO 26262, is certified always better than compliant? The answer is, not always. Treating the standard as a baseline, and going above and beyond the baseline to mitigate risk, can produce better outcomes. The difference between a compliant implementation and a certified implementation is a strategic decision. 

Having a uniform level of security protects sensitive information, and mitigates risk on any exposed attack surfaces. If your organisation requires a FIPS certified implementation, it’s worth asking about the risks associated with running systems with unpatched vulnerabilities.

Learn more about the trade-offs between FIPS compliant and FIPS certified, and maximising security while minimising risk.

Watch a webinar recording about implementing FIPS safely

Presented by Canonical’s VP of Public Sector, Chris Huffman, and Product Managers Rajan Patel, Ijlal Loutfi, and Henry Coggill.

The webinar covers baselines, standards, and guidelines as they pertain to implementing FIPS with maximum security.

Access the Webinar

FIPS requirements are satisfied through Ubuntu

FIPS certified Ubuntu and FIPS compliant Ubuntu both qualify as a FIPS validated operating system. Between both offerings, the FIPS requirements for government agencies, their partners, and those wanting to conduct business with the federal government, are satisfied.

Watch our webinar, “Implementing FIPS with maximum security configurations“,  to understand the trade-offs in more detail.

Manage Ubuntu with Landscape

Landscape is Canonical’s monitoring and management tool for Ubuntu which can be deployed anywhere, even as a self-hosted service in air-gapped environments.

Beyond implementing and auditing for FIPS, Landscape also handles security and vulnerability patching, and is an essential component of many organisations’ broader compliance strategies. Self-hosted Landscape is free for limited personal or evaluation use. All machines with an active Ubuntu Pro subscription can use Landscape at no additional cost.

Landscape is included with Ubuntu Pro FIPS on Amazon Web Services and Microsoft Azure, and Ubuntu Pro on Google Cloud Platform.

If you want to learn more

Talk to us about FIPS on Ubuntu in air-gapped environments, and our professional services options.

Contact Us

Learn more about what we do around FIPS compliance here!

Ubuntu cloud

Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

6 facts for CentOS users who are holding on

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started!

Meet our Public Sector team at Technet Augusta 2024

We’re excited to announce our participation in Technet Augusta 2024 from 19 to 22 August.

How Canonical enables PCI-DSS compliance

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control...