Deploying Infrastructure-as-a-Service (IaaS) platforms in regulated sectors—such as government, defense, finance, and healthcare—often comes with strict requirements around data protection and cryptographic assurance. These requirements are typically based on standards such as FIPS 140-2/140-3, which define how cryptographic modules must be implemented, validated, and used in production systems.

For cloud providers and contractors delivering services to these sectors, compliance is not optional. U.S. government frameworks such as NIST SP 800‑171 Revision 3 and NIST SP 800‑210 specify how third-party systems must handle sensitive information like Controlled Unclassified Information (CUI). One of the baseline expectations in both documents is the exclusive use of CMVP-validated cryptographic modules, which enforce secure encryption, key handling, and protocol usage across the entire software stack.

Apache CloudStack is widely adopted in private and public clouds around the world, including in projects where regulatory compliance is a prerequisite. However, out-of-the-box CloudStack does not enforce FIPS cryptographic policies across its components, which creates a significant gap for operators working in regulated environments. Even when some components can be configured to use secure protocols (such as TLS 1.2+), achieving consistent, full-stack enforcement of FIPS-approved algorithms and modules requires substantial effort.

To address this gap, ShapeBlue developed a FIPS-compliant framework for Apache CloudStack, designed to meet both customer demand and regulatory expectations. This framework enforces validated cryptographic operations at multiple layers of the stack—covering system VMs, host agents, API endpoints, and the management server—while preserving compatibility with the broader CloudStack ecosystem.

In this article, we explain the technical foundations of FIPS compliance, identify when and where it is required, and describe how ShapeBlue’s hardened implementation brings CloudStack in line with security and compliance mandates—enabling it to be deployed confidently in sensitive environments.

Many enterprises and service providers now complement cryptographic requirements with automated compliance workflows, data classification strategies, and continuous monitoring processes—much like those outlined by platforms like Secureframe. These practices—combined with validated cryptographic modules—form a robust compliance posture suitable for regulated sectors.

What is FIPS Compliance?

FIPS stands for Federal Information Processing Standards, a set of publicly published standards developed by the U.S. National Institute of Standards and Technology (NIST). Among them, FIPS 140-2 and its successor FIPS 140-3 are the most widely referenced in the context of information security. These standards define the security requirements for cryptographic modules used within IT systems—whether in hardware, firmware, or software implementations.

Achieving FIPS compliance means using only cryptographic modules that have been formally validated through the Cryptographic Module Validation Program (CMVP), a joint effort between NIST (USA) and the Communications Security Establishment (Canada). These modules must go through rigorous testing and be published in an official list of validated components.

In practical terms, FIPS 140 compliance includes:

• Using only approved encryption algorithms, modes, and key sizes (e.g. AES, RSA, SHA-2)
• Restricting protocols to FIPS-allowed configurations (e.g. TLS 1.2+ with specific cipher suites)
• Enforcing secure key generation, storage, and destruction
• Disabling fallback mechanisms to insecure protocols or legacy algorithms
• Ensuring cryptographic operations are performed within validated boundaries

It is important to note that FIPS does not certify entire software platforms like Apache CloudStack. Instead, it applies to the individual cryptographic modules that those platforms rely on. To claim FIPS compliance, an environment must be carefully configured to ensure that only validated modules are used, and that they are applied consistently across all components that handle cryptographic operations—including API endpoints, secure communication layers, authentication routines, and internal services.

For organizations operating in regulated environments, or for service providers delivering infrastructure to such sectors, enforcing FIPS-compliant cryptography is often a baseline requirement—not only to meet policy mandates, but also to reduce risk and exposure in case of audit or incident response.

Use Cases and Regulatory Contexts for FIPS

FIPS compliance is typically required in environments that process, store, or transmit sensitive, regulated, or classified data. While originally designed for U.S. federal agencies, the requirement has extended to a much broader set of industries and use cases—especially where outsourced IT infrastructure is involved.

Some of the most common contexts where FIPS 140-2 or 140-3 compliance is mandatory or contractually enforced include:

U.S. Government and Federal Contractors

All systems that handle federal information, especially Controlled Unclassified Information (CUI), must comply with NIST SP 800‑171 and FIPS 140 standards. This includes cloud environments under FedRAMP, defense contractors subject to DFARS, and any service provider listed under CMMC programs.

Defense and National Security

Environments operating at Impact Level 4 or 5 (DoD), or those involving export-controlled data (e.g. ITAR, EAR), require strict enforcement of validated cryptographic modules.

Healthcare

Under HIPAA, cryptographic protections for electronic Health Information (EHI) must meet standards considered “industry best practice”—FIPS 140 is commonly accepted as the benchmark in this regard.

Financial Services

While PCI-DSS does not explicitly mandate FIPS 140, many financial institutions require FIPS-validated components in systems that handle transaction data or digital identity, especially in government-facing programs or cross-border compliance scenarios.

Law Enforcement and Public Safety

Agencies adhering to the CJIS Security Policy must use FIPS-compliant encryption for data in transit and at rest—extending this requirement to any cloud system that supports those agencies.

Critical Infrastructure and Energy

Industries governed by NERC CIP, DOE, or similar frameworks often include FIPS-based cryptographic controls, particularly when using third-party managed infrastructure.

Beyond these sectors, any cloud provider offering services to clients in regulated environments may be required to demonstrate FIPS compliance as part of procurement processes, due diligence checks, or security assessments. This is especially relevant for Managed Service Providers (MSPs) and Cloud Service Providers (CSPs) offering IaaS platforms to government agencies, healthcare networks, or multinational corporations.

In such cases, FIPS compliance becomes a condition for market entry—not just a security posture choice. Platforms like Apache CloudStack, when properly hardened, can be deployed to meet these requirements, provided all cryptographic operations are backed by validated modules and consistently enforced across the stack.

Why ShapeBlue Developed a FIPS-Compliant Framework

While FIPS compliance can, in theory, be achieved through custom configurations and isolated hardening efforts, implementing it consistently across a complex, multi-component system like Apache CloudStack presents operational and architectural challenges. ShapeBlue decided to develop a complete FIPS-compliant framework for CloudStack to address those challenges at scale and support our customer base.

Customer and Regulatory Demand

Many of our customers operate in or deliver services to sectors with strict regulatory requirements. From government agencies bound by FedRAMP or DFARS, to healthcare providers subject to HIPAA, or financial institutions with global compliance obligations, the demand for turnkey, FIPS-compliant IaaS environments have become increasingly common.

In multiple real-world projects, FIPS compliance was not a future consideration—it was a precondition for deployment. Customers needed assurance that all cryptographic operations across the stack used validated modules, and that no manual post-installation hardening would be required. The effort to fulfil this consistently prompted us to develop a reusable, supportable framework.

Community Alignment

Although Apache CloudStack already includes several secure-by-default practices (such as TLS-enabled APIs, firewalling, and role-based access control), full-stack FIPS enforcement was never addressed natively by the community. By building a formal implementation, we aimed to close that gap and share a practical reference architecture aligned with industry security expectations.

The goal is to allow CloudStack deployments—whether for private clouds, sovereign platforms, or hosted IaaS providers—to meet compliance baselines without compromising compatibility with upstream code or requiring unsupported custom patches. Our implementation remains fully aligned with the core project and does not introduce deviations from official releases.

Security-First Philosophy

At ShapeBlue, we view security not as a feature to be layered on top, but as an essential design principle. By enforcing FIPS 140-validated cryptography throughout the CloudStack environment—including the SystemVMs, Management Server, Host Agents, and API endpoints—we help ensure that even lower-level operations (like key handling, SSH access, or inter-component communication) meet cryptographic assurance requirements.

Automation and Governance Alignment

In addition to regulatory and customer-driven demand, we emphasize automated enforcement of secure configurations and clear governance policies to reduce drift and manual errors—mirroring modern compliance best practices seen in automated platforms. This ensures that once compliant, the environment remains so through upgrades and scaling.

This approach reduces attack surface, simplifies audit readiness, and makes CloudStack suitable for use in zero-trust architectures and sensitive workloads. It also provides operators with the confidence that their deployments are compliant not just in theory, but in practice—based on validated modules and traceable configuration enforcement.

Inside ShapeBlue’s FIPS-Compliant CloudStack Framework

The FIPS-compliant framework developed by ShapeBlue focuses on aligning Apache CloudStack with the cryptographic requirements defined in FIPS 140-2 and FIPS 140-3, as enforced under the Cryptographic Module Validation Program (CMVP). Rather than relying on ad hoc configurations, this implementation ensures that all cryptographic operations across the control plane and system components are handled exclusively by CMVP-validated modules.

Standards and Guidelines Covered

The framework is designed to support CloudStack deployments that must comply with the following standards and guidelines:

FIPS 140-2 / FIPS 140-3

Enforcement of validated cryptographic modules at all relevant layers (TLS, SSH, encryption at rest, etc.), using only approved algorithms and key sizes.

NIST SP 800‑171 Rev. 3

Secure handling of Controlled Unclassified Information (CUI) in non-federal systems, including authentication, transmission, and cryptographic protections.

NIST SP 800‑210

Access control guidance for cloud systems requiring cryptographically enforced boundaries and validation of authentication mechanisms.

TLS / SSH Guidelines (NIST SP 800-52, 800-131A)

Use of strong ciphers, protocol version constraints, and secure key exchange algorithms.

Best practices from CIS Benchmarks and DISA STIGs (when applicable)

CloudStack Components Covered

The framework enforces validated cryptography across all key CloudStack components:

Component	FIPS Controls Implemented
Management Server	BCFIPS (Bouncy Castle FIPS) as Java crypto provider; TLS 1.2/1.3 enforcement; hardened keystore/truststore
Host Agent (KVM)	FIPS-enabled Linux kernel; SSH restricted to FIPS-approved ciphers, MACs, and key types
System VMs	Hardened images with OpenSSL in FIPS mode; FIPS-mode Linux userland; restricted SSH and TLS
Console Proxy	Enforced TLS 1.2+ with approved cipher suites
API / CLI	FIPS-compliant TLS handling; restricted algorithm negotiation; BCFIPS-backed crypto
Build Tools / Scripts	Automated provisioning of hardened images; verification of crypto settings at runtime

Additionally, the framework offers automation scripts and policy templates that ensure consistent application of these controls during deployment, update, and recovery processes.

Scope and Limitations

It is important to clarify that FIPS certification applies to cryptographic modules—not to entire systems or platforms. As such, the CloudStack platform itself is not “FIPS-certified,” but rather configured to operate in a FIPS-compliant manner, using only validated modules for all cryptographic functions.

The framework does not alter CloudStack’s orchestration behaviour, nor does it introduce custom forks or unsupported patches. All modifications are limited to:

• Secure configuration defaults
• Replacement of cryptographic backends where required (e.g., using BCFIPS)
• Hardened base images for System VMs
• Enforcement of protocol versions and cipher suites

This allows CloudStack deployments to meet FIPS compliance requirements without deviating from the upstream project, ensuring maintainability, upgrade compatibility, and full community support.

Note: While cryptographic compliance is foundational, mature environments also rely on continuous control monitoring, classification, and governance structures to maintain compliance over time. Integrating these practices with a FIPS-aligned framework offers both technical assurance and operational rigor.

Conclusion

Deploying Infrastructure-as-a-Service in regulated sectors demands more than just functional infrastructure—it requires verifiable cryptographic assurance across every component. ShapeBlue meets this challenge by delivering a comprehensive FIPS‑compliant framework for Apache CloudStack, ensuring that validated cryptographic modules power the platform’s communication, system VMs, host agents, and APIs, all while aligning seamlessly with the upstream project.

By enforcing FIPS 140‑2/3 compliance and mapping to relevant NIST standards like SP 800‑171 Rev. 3 and SP 800‑210, this framework positions CloudStack as a secure foundation for environments that handle Controlled Unclassified Information and operate under demanding regulatory regimes. It bridges critical gaps that would otherwise require extensive manual effort and deep domain expertise.

But compliance in modern cloud environments goes beyond cryptographic validation alone. As seen in practices promoted by leading solutions such as Secureframe, organizations reap the greatest benefits by combining robust technical controls with automation, continuous monitoring, and governance. These layers help ensure audit readiness, reduce risk drift, and reinforce trust over time.

ShapeBlue’s framework supports this advanced posture—not only by embedding secure-by-default configurations, but also by enabling automated validation, repeatable deployment patterns, and a clear governance model. This approach empowers cloud operators to deliver FIPS‑aligned, compliant IaaS environments robust enough for sensitive use cases like zero-trust and sovereign clouds.

In summary, building a Compliant IaaS with Apache CloudStack blends:

• Deep cryptographic rigour (via FIPS and NIST alignment),
• Operational resilience (through automation and governance), and
• Community-friendly architecture (preserving compatibility and maintainability).

Together, they form a structured, pragmatic approach to delivering compliance-ready cloud infrastructure—without sacrificing flexibility or introducing unsupported custom forks.