A summary of Okta’s FIPS compliance
Federal Information Processing Standards (FIPS) are security standards developed by the National Institute of Standards and Technology (NIST). For organizations to adhere to FIPS compliance, the system or product must meet configuration standards and pass rigorous audits through regular third-party assessments.
To demystify FIPS compliance in Okta’s service offerings, we thought it would be helpful to distill how and where FIPS is implemented across Okta. We often receive a number of questions about FedRAMP High vs. FedRAMP Moderate, use in EPCS, and even about FIPS in our commercial service offerings. You can find information regarding FIPS compliance in our System Security Plans for our FedRAMP Moderate service offering and our FedRAMP High service offering, but these documents are ~500 pages long and have to adhere to the FedRAMP template, where it can be difficult to find the information you need quickly.
Commercial
Okta does not support full FIPS coverage in the commercial cells.
For the remainder of this guide, everything listed is considered compliant and assessed by our third party assessment organization (3PAO) and approved by our government agency sponsors.
Okta for Government Moderate (FedRAMP Moderate)
The following ports and services have been assessed as FIPS compliant:
Service |
Port | CMVP Certificate |
SAML OIDC APIs |
443 | #4523 |
Password Storage in Universal Directory |
See Okta IDaaS Regulated Moderate Cloud System Security Plan page 487-488 (Control SC-13) for description | |
Custom Domains |
443 | #3503 |
CDN (Cloudfront) |
443 | #4523 |
Okta Verify iOS |
443 | #3856, #3811 |
Okta Verify Android |
443 | #4240 |
Okta Verify MacOS |
Customer responsibility to patch and ensure compliant version of CoreCrypto | |
Okta Verify Windows |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library | |
Okta Access Gateway (OAG) |
443 | #2768, #1747 |
Okta AD Agent |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library | |
Okta LDAP Agent |
#2768 |
Okta for Government High (FedRAMP High)
The following ports and services have been assessed as FIPS compliant:
Service |
Port |
CMVP Certificate |
SAML |
443 |
|
Password Storage in Universal Directory |
||
Custom Domains |
443 |
|
CDN (Cloudfront) |
443 |
|
Okta Verify iOS |
443 |
|
Okta Verify Android |
443 |
|
Okta Verify MacOS |
Customer responsibility to patch and ensure compliant version of CoreCrypto |
|
Okta Verify Windows |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
Okta Access Gateway (OAG) |
443 |
|
Okta AD Agent |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
Okta LDAP Agent |
||
DNS (DNSSec) |
53 |
Okta for US Military (IL4 w/ approval for IL5 workloads)
The following ports and services have been assessed as FIPS compliant:
Service |
Port |
CMVP Certificate |
SAML |
443 |
|
Password Storage in Universal Directory |
||
Custom Domains |
443 |
|
CDN (Cloudfront) |
443 |
|
Okta Verify iOS |
443 |
|
Okta Verify Android |
443 |
|
Okta Verify MacOS |
Customer responsibility to patch and ensure compliant version of CoreCrypto |
|
Okta Verify Windows |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
Okta Access Gateway (OAG) |
443 |
|
Okta AD Agent |
Customer responsibility to patch and ensure compliant version of Windows Cryptographic Primitives Library |
|
Okta LDAP Agent |
||
DNS (DNSSec) |
53 |
With this summarized information around our products, it should save customers time with finding details on Okta’s FIPS compliance and assist government agencies and HIPAA customers with their own compliance. If you have any further questions about the FIPS compliance around our products and services, please feel free to contact us at [email protected].