FIPS Validated

FIPS certified Istio and Gloo Platform provides a government ready Zero Trust Architecture (ZTA) built on federal government requirements for cybersecurity with NIST standards FIPS 140-2, 800-204A, and 800-207. Built around ZTA, Istio, Gloo Gateway, and Gloo Mesh provide government organizations and system integrators, the centralized command and control required for FedRAMP certification.

What is FIPS?

FIPS (Federal Information Processing Standards) refers to a set of rules on how cryptographic modules are implemented and applied to any part of a system utilizing cryptographic functions.

Most large organizations have compliance obligations around FIPS. These include customers in the U.S. Government, but many businesses consider FIPS a best practice that helps them meet other regulatory requirements and industry best practices.

Our ethos is security first.

We take security seriously.

There are also security requirements that extend beyond just technology. For products and implementations, FIPS validation can be achieved by submitting a cryptographic module for review and testing to a CMVP lab.

Key Features

  • 140-2 FIPS Certified by NIST Approved Laboratory Most Products and Istio have gone through FIPS Certification. FIPS 140-3 compliance is a work in progress.
  • Vulnerability (CVEs) addressed within FedRAMP 800-53 controls Solo ensures that vulnerabilities are addressed within FedRAMP required timelines.
  • Long-Term Support for Istio Upstream Istio only supports versions for 6 months. Solo supports the latest 5 versions of Istio.
  • FIPS Compliant Istio ARM Images Save money using ARM images from the cloud vendors while maintaining FIPS compliance.
  • Expertise in FedRAMP Process The team has helped multiple vendors ensure their FedRAMP auditors that the Gloo service mesh and API gateways embedded in their products are FedRAMP compliant.

FIPS compliant vs. FIPS certified/validated: What’s the difference?

There are two levels of FIPS adherence; FIPS compliant and FIPS certified/validated.

  • FIPS compliant is a self-certification. Meaning the vendor indicates they are adhering to the standards.
  • FIPS certified/validated means the product has been tested at a national lab and audited to confirm it adheres to FIPS standards. has taken the time to validate and certify our FIPS 140-2 compliance (certificate 4257), confirming our commitment to supporting the FIPS 140-2 standard for our customers.

Why choose for FIPS-ready service meshes and API gateways?’s Gloo Mesh and Gloo Gateway deliver secure service meshes and API gateways by enhancing open source Istio and Envoy Proxy. By default, basic open source distributions of Istio and Envoy are unable to meet FIPS requirements. Encryption alone isn’t enough, and if you use purely open source you inherit the burden of developing and maintaining missing security features. provides enterprise distributions of Istio through our Gloo Mesh product.

The enterprise distribution comes with:

  • enterprise SLAs
  • Long-term support (LTS for N-4 which is typically 15 months of Istio releases)
  • Expert guidance and architecture reviews provides a hardened FIPS 140-2 validated version of Istio service mesh. This supports compliant builds of both Istio’s control plane and data plane (Envoy Proxy).