Skip to main content

FIPS 140‑3 Readiness — Verified Features, Gaps, and Rollout Steps

Scope and sources

  • Based on ms_bff_spike/ms_bff/src/services/idp_client.py, src/routes/auth_stub.py, enterprise SDK references, tests mentioning FIPS, and design docs.

Verified features in code

  • Enterprise OAuth client usage: IdPClient initializes empowernow_common.oauth.HardenedOAuth with fips_mode=True (HTTPS path), and fails fast if the enterprise SDK is missing.
  • Session/Redis path: Enterprise Redis manager references and tests indicate FIPS‑aware usage in production paths (auth_stub.py comments and tests).
  • TLS and HTTP client: Tests reference “FIPS‑compliant HTTP client” initialization and SSL context configuration.
  • Metrics/health: Tests check fips_mode flags in health responses.

Configuration knobs (env)

  • FIPS_MODE or equivalent flags are referenced in tests; IdPClient passes fips_mode=True into HardenedOAuth when using HTTPS issuer path.
  • Enterprise SDK determines the actual crypto backend; code checks and logs critical errors if unavailable.

What this implies

  • The BFF is designed to operate with a FIPS‑capable OAuth/HTTP stack via the enterprise HardenedOAuth client. When present, token exchange/refresh and TLS are handled in a FIPS‑mode code path.
  • If the enterprise SDK is not present, the BFF logs and raises engine‑level errors where required (IdP client), preventing a misconfigured non‑FIPS deployment.

Gaps and non‑claims

  • We do not ship FIPS validations/cert numbers or claim a validated crypto module within this public repo. Compliance depends on the enterprise SDK runtime and platform crypto.
  • No explicit Node runtime FIPS toggling is part of the SPAs; the browser uses platform TLS.

Operational rollout checklist (to be compliant)

  • Backend

    • Ensure the enterprise empowernow_common packages are installed and configured; HardenedOAuth must initialize with fips_mode=True.
    • Pin TLS and cipher policies per your platform’s FIPS policy (OpenSSL FIPS provider or equivalent); verify via health endpoint/tests.
    • Verify Redis/Kafka connectors are configured to use FIPS‑approved crypto/TLS (enterprise clients if applicable).
    • Run the included FIPS tests (where present) and add platform checks in CI to ensure FIPS mode is active.

  • Frontend

    • No FIPS‑specific code changes; SPAs rely on browser TLS. Ensure deployment uses compliant TLS suites.

Evidence to capture

  • Logs showing HardenedOAuth initialized with fips_mode=True.
  • Health endpoints or test outputs that report fips_mode: true.
  • TLS config snapshots (OpenSSL provider status, cipher suites) on runtime hosts.