A summary of Okta’s FIPS compliance

Federal Information Processing Standards (FIPS) are security standards developed by the National Institute of Standards and Technology (NIST). For organizations to adhere to FIPS compliance, the system or product must meet configuration standards and pass rigorous audits through regular third-party assessments.

To demystify FIPS compliance in Okta’s service offerings, we thought it would be helpful to distill how and where FIPS is implemented across Okta. We often receive a number of questions about FedRAMP High vs. FedRAMP Moderate, use in EPCS, and even about FIPS in our commercial service offerings. You can find information regarding FIPS compliance in our System Security Plans for our FedRAMP Moderate service offering and our FedRAMP High service offering, but these documents are ~500 pages long and have to adhere to the FedRAMP template, where it can be difficult to find the information you need quickly. 

Commercial

Okta does not support full FIPS coverage in the commercial cells. 

For the remainder of this guide, everything listed is considered compliant and assessed by our third party assessment organization (3PAO) and approved by our government agency sponsors. 

Okta for Government Moderate (FedRAMP Moderate)

The following ports and services have been assessed as FIPS compliant:

Okta for Government High (FedRAMP High)

The following ports and services have been assessed as FIPS compliant:

Okta for US Military (IL4 w/ approval for IL5 workloads)

The following ports and services have been assessed as FIPS compliant:

With this summarized information around our products, it should save customers time with finding details on Okta’s FIPS compliance and assist government agencies and HIPAA customers with their own compliance. If you have any further questions about the FIPS compliance around our products and services, please feel free to contact us at [email protected].