FIPS 140 Compliance logo
U.S. | Government and public sector

FIPS 140 Compliance

The National Institute of Standards and Technology (NIST) issues the Federal Information Processing Standard (FIPS) Publication Series 140 to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States and Canadian governments to protect sensitive information.

FIPS 140 Requirements

Cloud Service Providers (CSPs) are required to implement FIPS security control to satisfy the requirements of Cloud computing for the US and Canadian governments as well as their contractors and vendors. The FIPS publication 140 stipulates that if encryption is employed as a mechanism to meet a security requirement, it must be FIPS validated under the Cryptographic Module Validation Program (CMVP).

The most recent FIPS Publication Series 140 from 2020 is a third revision, commonly referred to as FIPS 140-3. NIST is in the middle of a transition roadmap for migration from the FIPS 140-2 to 140-3 standard, and Google is committed to this transition. Since September 2022, all of Google's FIPS 140 submissions for new modules have been under the 140-3 standard. Google's core software module, BoringCrypto, has received a FIPS 140-3 certificate (#4735). Certifications issued under the FIPS 140-2 standard remain valid and acceptable for federal compliance programs until their expiration date.

Google Cloud FIPS 140 Compliance

Data at rest in Google Cloud is protected with FIPS 140–validated modules. Google automatically encrypts traffic between VMs that travels between Google data centers using FIPS-validated encryption.

Data in transit in Google Cloud is protected by FIPS 140–validated modules; for example this includes SSH connections, data center traffic, service-to-service connections, and external interfaces (using TLS 1.2 or higher). To ensure a FIPS 140–validated connection, customers must ensure that machines connecting to Google Cloud are configured to use certified encryption modules. Customers should use TLS 1.2 or higher to ensure a FIPS 140–validated connection.

In accordance with FedRAMP Policy for Cryptographic Module Selection and Use, Google utilizes the update stream containing the latest patches and updates to be applied to software, regardless of the FIPS validation status of the updated software.

Note: Customer applications built and operating on Google Cloud might include their own cryptographic implementations; in order for the data they process to be secured with a FIPS-validated cryptographic module, customers must integrate such an implementation.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
DocsSupport
Console
Sign in
Security
Threat IntelSecOpsCloud securityConsultingSecurity resources
  • Accelerate your digital transformation
  • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
  • Featured Products
  • Business Intelligence
  • Hybrid and Multicloud
  • Industry Specific
  • Media Services
  • Mixed Reality
  • Productivity and Collaboration
  • Save money with our transparent approach to pricing
  • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
Google Cloud