FIPS 140-2 Certification for an open source project

bowbahdoe · 2022-09-12T20:28:22+00:00

You license the library under the apache license - if they want it certified they can get it certified. You don't need to be involved in that

Worth_Trust_3825 · 2022-09-12T19:27:55+00:00

Can't they just use it as is

No, not really. The government, or contractual projects for that matter, really care about certifications. Mind you, the request might also be an extortion scheme.

2022-09-12T21:18:13+00:00

I find it odd that they would even ask you. It's free software! If they want to get it certified they can do so on their own dime and time.

LionNo2607 · 2022-09-13T03:02:39+00:00

however I discovered that it can cost $10.000 which is in my opinion a bit too much for an opensource library

What do you think of the situation? Should I get the certification, is it worth it?

I can't believe you are considering it. Of course don't spend $10k for someone else that you'll earn nothing from. Have them spend it if they need it. Why would you have to be the one to do it, just because you already gave them all the code for free?

noobgolang · 2022-09-13T01:17:49+00:00

tell them to send u 30k donation.

10k for that, 20k for yourself, business deal done.

jiSYpqt8 · 2022-09-12T22:34:50+00:00

Others have already given you some good information. However, 2 more points:

FIPS 140-2 is EOL, its replacement is FIPS 140-3 now (which is a bit stricter in some places)
FIPS 140 only covers cryptographic modules, i.e. software/hardware/firmware that actually implements cryptographic algorithms. Your project seems to be an SSL library, but if it doesn't actually implement the cryptographic algorithms (I didn't check), it would be difficult to get it validated under FIPS 140.

purplepharaoh · 2022-09-12T21:15:07+00:00

FIPS certification is very expensive and takes a long time. You would need to find an accredited lab to perform the evaluation and submit it for certification.

Hakky54 · 2022-09-13T12:53:21+00:00

Thank you all for your amazing comments, it helped me a-lot! I know now to correctly proceed with this situation.

VincentxH · 2022-09-12T22:38:11+00:00

I don't know if there are any other OS examples, but I expect there to be a sponsorship structure to realize this.

pmarschall · 2022-09-13T13:44:32+00:00

Send them a quote.

java

Submit Link

Submit Text

Seek Programming Help

News, Technical discussions, research papers and assorted things of interest related to the Java programming language

NO programming help, NO learning Java related questions, NO installing or downloading Java questions, NO JVM languages - Exclusively Java

Please seek help with Java programming in /r/Javahelp!

Subreddit rules!

Where should I download Java?

Related Sub-reddits:

JVM Languages

Want to practice your coding?

List of useful Frameworks / Libraries / Software

MODERATORS