FIPS-ing the Un-FIPS-able: Apache Cassandra

We’re excited to announce that Chainguard is now building FIPS-validated images for Apache Cassandra entirely from source – a first-of-its-kind achievement in the open source community. Chainguard and our customers had long believed that it was impossible to build FIPS versions of this project, as the upstream code was incompatible with FIPS-approved cryptographic libraries.

But now, with Chainguard delivering custom FIPS image builds for Cassandra, customers who deploy products in highly regulated industries (security, financial services, healthcare, etc.) or government environments (FedRAMP, StateRAMP, DoD, etc.) can deploy this enterprise data platform with FIPS-approved cryptography. This milestone will allow Chainguard customers to harden their software supply chains and simplify compliance requirements, while their end customers receive stronger assurance of product security. Chainguard has created a new market for FIPS images – in direct response to customer demand – that did not exist before because it was technically infeasible.

In this blog post, we’ll go deeper into our motivations for FIPS-ifying Cassandra and the challenges Chainguard overcame to successfully build FIPS-validated versions for Cassandra 4.0, 4.1, and 5.0.

Customer Demand for FIPS Images

Customers consistently asked Chainguard to build FIPS versions of Cassandra 4.0, 4.1, and 5.0, as this application is a core piece of the enterprise data stack. Previously, we would come back with the same answer: because the upstream maintainers for this project have not modified their source code to be compatible with FIPS-approved libraries, we could not build FIPS images for Cassandra. But the demand kept pouring in.

Companies building software to sell to the federal government via FedRAMP authorization or to Department of Defense (DoD) agencies need FIPS images to achieve compliance and unlock enormous revenue streams. Other customers handling sensitive consumer data in highly regulated industries like healthcare, financial services, and cybersecurity argued that FIPS encryption was best practice. Neither group of companies could afford to refactor their products to avoid using a mission-critical application like Cassandra.

Chainguard’s Solution: FIPS-Validated Images Where None Existed Before

After seeing such enormous customer demand for Cassandra FIPS images, we knew we had to build a solution to “FIPS the un-FIPS-able” ourselves. That meant taking on three significant workstreams:

1. Source Code Fork for FIPS Compatibility: We identified the appropriate upstream open source project, forked the source code, and added modular code changes that allow users to use either the default cryptographic implementations in Java or the FIPS-approved cryptographic libraries. This modular approach allowed us to maintain existing cryptographic operations native to Java applications (key generation, encryption, and description) while also offering FIPS cryptographic operations as an option. These code changes were applied to the latest tag, and also backported to all supported tags (e.g., three versions of Cassandra: 4.0, 4.1, and 5.0).

2. Extensive Source Code Testing: Once we completed the successful fork of the upstream project and implemented FIPS-compatible code changes, it was essential for us to conduct extensive testing across both the FIPS and non-FIPS cryptographic code paths. Rigorous testing is critical for Chainguard to guarantee stability, security, and performance for our customers, as well as full compliance satisfaction. Our extensive testing was conducted based on the upstream project’s test harness to ensure full fidelity of tests and execution.

3. Building, Delivering, and Maintaining FIPS-Enabled Images: Once we completed all code changes and validated cryptographic functionally, we then turned to developing new container images. And after successfully building the first FIPS images for these projects, we began maintaining and rebuilding them continuously, just like all other Chainguard Images. That meant applying the latest patches and updates, backporting patches for older supported version streams, and continuously ensuring FIPS validation.

We are currently working on contributing our code forks and patches back to the upstream project maintainers for their review and acceptance. As strong believers in the ethos of open source, it’s important to share our breakthrough here with the broader community.

Getting Started with Cassandra-FIPS

FIPS-enabled images for Cassandra are only the beginning of our effort to build FIPS images for applications previously thought to be un-FIPS-able. Other projects we are currently considering on our roadmap include Apache Spark, Apache Kafka, and Apache ZooKeeper. We would love your feedback as to which images you’d like us to FIPS-ify next.

If you’d like to learn more about Chainguard’s custom FIPS-validated images or want to get started with FIPS versions of Cassandra, reach out today!