Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Rajan Patel
on 30 August 2022


Encryption is key to protecting sensitive data. There are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components. 

The governments of the United States and Canada have encryption requirements for their own systems, and those used by their vendors. The Federal Information Processing Standard (FIPS) Publication is an evolving standard, currently at version 140-2. FIPS 140-2 states what versions of certified software are suitable for use within all federal agencies and entities that work with these agencies. Ubuntu will support FIPS 140-3 when it is ready, and organisations are looking to implement that standard.

The FIPS standard for cryptographic modules and kernel configurations can serve as a baseline for your encryption and tamper-proofing policies. When embarking on a FIPS implementation, you’ll hear terms like FIPS certified and FIPS compliant – what’s the difference and which one is better?

The difference between FIPS certified and FIPS compliant

A FIPS certified implementation conforms to the FIPS standard, with no security enhancements beyond the bare minimum that is required. In response to a continuously evolving cybersecurity landscape, Canonical’s FIPS compliant implementation uses the FIPS standard as a baseline, and provides security enhancements beyond the standard, certified solution. 

How are FIPS Certified and FIPS Compliant implementations different? What makes the most sense for your organisation? The answer may surprise you.

Seeing past preconceptions

To find out whether it’s best to be FIPS certified vs FIPS compliant, let’s consider a hypothetical example from the automotive industry. ISO 26262 is a guideline for functional safety, and is an industry standard for car manufacturers. Assuming two automakers are producing identical cars, except one is ISO 26262 certified and the other is ISO 26262 compliant, which car is more appealing for consumers, and why?

If a hypothetical certified standard for cars mandates a metal body and 4 wheels, both cars above conform to the standard. The car on the left is certified, with strict conformance. The car on the right treats the certified standard as a baseline, and goes beyond that minimum.

As consumers we know that a certified implementation takes a significant investment in time and money, and implies third party validation of this work. Consumers’ knee-jerk reaction is to assume the compliant implementation may be an attempt to conform to best practices by skipping formal validation, in favour of self-evaluation. The compliant vehicle is viewed as a generic knock-off. The certified vehicle is expected to have desirable attributes the generic can only aspire to have.

While this is true for ISO 26262, is certified always better than compliant? The answer is, not always. Treating the standard as a baseline, and going above and beyond the baseline to mitigate risk, can produce better outcomes. The difference between a compliant implementation and a certified implementation is a strategic decision. 

Having a uniform level of security protects sensitive information, and mitigates risk on any exposed attack surfaces. If your organisation requires a FIPS certified implementation, it’s worth asking about the risks associated with running systems with unpatched vulnerabilities.

Learn more about the trade-offs between FIPS compliant and FIPS certified, and maximising security while minimising risk.

Watch a webinar recording about implementing FIPS safely

Presented by Canonical’s VP of Public Sector, Chris Huffman, and Product Managers Rajan Patel, Ijlal Loutfi, and Henry Coggill.

The webinar covers baselines, standards, and guidelines as they pertain to implementing FIPS with maximum security.

Access the Webinar

FIPS requirements are satisfied through Ubuntu

FIPS certified Ubuntu and FIPS compliant Ubuntu both qualify as a FIPS validated operating system. Between both offerings, the FIPS requirements for government agencies, their partners, and those wanting to conduct business with the federal government, are satisfied.

Watch our webinar, “Implementing FIPS with maximum security configurations“,  to understand the trade-offs in more detail.

Manage Ubuntu with Landscape

Landscape is Canonical’s monitoring and management tool for Ubuntu which can be deployed anywhere, even as a self-hosted service in air-gapped environments.

Beyond implementing and auditing for FIPS, Landscape also handles security and vulnerability patching, and is an essential component of many organisations’ broader compliance strategies. Self-hosted Landscape is free for limited personal or evaluation use. All machines with an active Ubuntu Pro subscription can use Landscape at no additional cost.

Landscape is included with Ubuntu Pro FIPS on Amazon Web Services and Microsoft Azure, and Ubuntu Pro on Google Cloud Platform.

If you want to learn more

Talk to us about FIPS on Ubuntu in air-gapped environments, and our professional services options.

Contact Us

Learn more about what we do around FIPS compliance here!

Related posts


Lech Sandecki
23 October 2024

6 facts for CentOS users who are holding on

Cloud and server Article

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started! ...


Marina Khachatryan
15 August 2024

Meet our Public Sector team at Technet Augusta 2024

Ubuntu Article

We’re excited to announce our participation in Technet Augusta 2024 from 19 to 22 August. ...


Henry Coggill
2 August 2024

How Canonical enables PCI-DSS compliance

Security Article

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control framework that is designed to keep payment card data safe from hackers and misuse. Merchants who accept debit or credit card payments (and service providers who process this information) wi ...