A summary of Okta’s FIPS compliance

Federal Information Processing Standards (FIPS) are security standards developed by the National Institute of Standards and Technology (NIST). For organizations to adhere to FIPS compliance, the system or product must meet configuration standards and pass rigorous audits through regular third-party assessments.

To demystify FIPS compliance in Okta’s service offerings, we thought it would be helpful to distill how and where FIPS is implemented across Okta. We often receive a number of questions about FedRAMP High vs. FedRAMP Moderate, use in EPCS, and even about FIPS in our commercial service offerings. You can find information regarding FIPS compliance in our System Security Plans for our FedRAMP Moderate service offering and our FedRAMP High service offering, but these documents are ~500 pages long and have to adhere to the FedRAMP template, where it can be difficult to find the information you need quickly. 

Commercial

Okta does not support full FIPS coverage in the commercial cells. 

For the remainder of this guide, everything listed is considered compliant and assessed by our third party assessment organization (3PAO) and approved by our government agency sponsors. 

Okta for Government Moderate (FedRAMP Moderate)

The following ports and services have been assessed as FIPS compliant:

 

Service
 
Port CMVP Certificate
SAML
OIDC
APIs
 
443 #3617
Password Storage in Universal Directory
 
  See Okta IDaaS Regulated Moderate Cloud System Security Plan page 487-488 (Control SC-13) for description
Custom Domains
 
443 #3503

CDN (Cloudfront)

443 #3617

Okta Verify iOS

443 #3856, #3811

Okta Verify Android

443 #4240

Okta Verify MacOS

  Customer responsibility to patch and ensure compliant version of CoreCrypto

Okta Verify Windows

  Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library

Okta Access Gateway (OAG)

443 #2768, #1747

Okta AD Agent

  Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library

Okta LDAP Agent

  #2768

 

 

 

Okta for Government High (FedRAMP High)

The following ports and services have been assessed as FIPS compliant:

 

Service

Port

CMVP Certificate

SAML
OIDC
APIs

443

#3617

Password Storage in Universal Directory

 

#3514

Custom Domains

443

#3503

CDN (Cloudfront)

443

#3617

Okta Verify iOS

443

#3856, #3811

Okta Verify Android

443

#4240

Okta Verify MacOS

 

Customer responsibility to patch and ensure compliant version of CoreCrypto

Okta Verify Windows

 

Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library

Okta Access Gateway (OAG)

443

#2768, #1747

Okta AD Agent

 

Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library

Okta LDAP Agent

 

#2768

DNS (DNSSec)

53

#3332

 

Okta for US Military (IL4 w/ approval for IL5 workloads)

The following ports and services have been assessed as FIPS compliant:

 

Service

Port

CMVP Certificate

SAML
OIDC
APIs

443

#3617

Password Storage in Universal Directory

 

#3514

Custom Domains

443

#3503

CDN (Cloudfront)

443

#3617

Okta Verify iOS

443

#3856, #3811

Okta Verify Android

443

#4240

Okta Verify MacOS

 

Customer responsibility to patch and ensure compliant version of CoreCrypto

Okta Verify Windows

 

Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library

Okta Access Gateway (OAG)

443

#2768, #1747

Okta AD Agent

 

Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library

Okta LDAP Agent

 

#2768

DNS (DNSSec)

53

#3332

 

With this summarized information around our products, it should save customers time with finding details on Okta’s FIPS compliance and assist government agencies and HIPAA customers with their own compliance. If you have any further questions about the FIPS compliance around our products and services, please feel free to contact us at [email protected]