A summary of Okta’s FIPS compliance
Federal Information Processing Standards (FIPS) are security standards developed by the National Institute of Standards and Technology (NIST). For organizations to adhere to FIPS compliance, the system or product must meet configuration standards and pass rigorous audits through regular third-party assessments.
To demystify FIPS compliance in Okta’s service offerings, we thought it would be helpful to distill how and where FIPS is implemented across Okta. We often receive a number of questions about FedRAMP High vs. FedRAMP Moderate, use in EPCS, and even about FIPS in our commercial service offerings. You can find information regarding FIPS compliance in our System Security Plans for our FedRAMP Moderate service offering and our FedRAMP High service offering, but these documents are about 500 pages long and have to adhere to the FedRAMP template, where it can be difficult to find the information you need quickly.
Commercial
Okta does not support full FIPS coverage in the commercial cells.
The information provided in this guide related to Okta’s service offerings are considered FIPS compliant, have been assessed by our third party assessment organization (3PAO), and approved by our U.S. government agency sponsors.
On-Premise Software
While on-premise software is not included in Okta’s authorization boundaries, it is typically included in customer boundaries. To help with customer compliance, we often provide the below CMVP certificates for our on-premise software.
|
Service |
Port |
CMVP Certificate |
|
OAG |
443 |
|
|
Okta AD Agent |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
|
Okta LDAP Agent |
|---|
Okta for Government Moderate (FedRAMP Moderate)
The following ports and services have been assessed as FIPS compliant:
|
Service |
Port |
CMVP Certificate |
|
SAML |
443 |
|
|
Password Storage in Universal Directory |
See Okta IDaaS Regulated Moderate Cloud System Security Plan page 487-488 (Control SC-13) for description |
|
|
Custom Domains |
443 |
|
|
CDN (Cloudfront) |
443 |
|
|
Okta Verify iOS |
443 |
|
|
Okta Verify Android |
443 |
|
|
Okta Verify MacOS |
Customer responsibility to patch and ensure compliant version of CoreCrypto |
|
|
Okta Verify Windows |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
Okta for Government High (FedRAMP High)
The following ports and services have been assessed as FIPS compliant:
|
Service |
Port |
CMVP Certificate |
|
SAML |
443 |
|
|
Password Storage in Universal Directory |
||
|
Custom Domains |
443 |
|
|
CDN (Cloudfront) |
443 |
|
|
Okta Verify iOS |
443 |
|
|
Okta Verify Android |
443 |
|
|
Okta Verify MacOS |
Customer responsibility to patch and ensure compliant version of CoreCrypto |
|
|
Okta Verify Windows |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
|
DNS (DNSSec) |
53 |
Okta for US Military (IL4 w/ approval for IL5 workloads)
The following ports and services have been assessed as FIPS-compliant:
|
Service |
Port |
CMVP Certificate |
|
SAML |
443 |
|
|
Password Storage in Universal Directory |
||
|
Custom Domains |
443 |
|
|
CDN (Cloudfront) |
443 |
|
|
Okta Verify iOS |
443 |
|
|
Okta Verify Android |
443 |
|
|
Okta Verify MacOS |
Customer responsibility to patch and ensure compliant version of CoreCrypto |
|
|
Okta Verify Windows |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
|
DNS (DNSSec) |
53 |
It is Okta’s hope that this guide saves our customers time when trying to find details related to Okta’s FIPS compliance. We further expect that this guide will assist U.S. government agencies with their own compliance requirements. If you have any further questions about Okta’s FIPS-compliant products and services, please feel free to contact us at [email protected].
