FIPS-140

Plugins may or may not honour a request to run in FIPS-140 compliance mode. Before you install or upgrade any plugin, you should check the plugin’s code to ensure it adheres to the FIPS-140 standard.

If you enable FIPS-140 mode, it provides a hint to Jenkins and any plugins that have opted in that they should prefer cryptographic algorithms that may.^[1] be FIPS-140 approved. This may mean that some features are disabled entirely, or may use a less secure (but compliant) form of cryptography than normal.

If any code from the JVM, servlet container, Jenkins, or any plugin requests a non-compliant algorithm, this will still be the case, and the request may be honoured. For example, this mode cannot configure the JVM, so TLS connections to external secure web sites might still use non-compliant cryptography. Additionally, Jenkins cannot ensure that plugins will even use encryption at all, when appropriate. At the end of the day, just because Jenkins and plugins run when FIPS-140 mode is enabled does not mean that it adheres to the USA government standard.

As previously mentioned, the host, JVM, and the servlet container all need to be configured appropriately to ensure that Jenkins is FIPS-140 compliant. Extreme care should be taken when installing or upgrading plugins as they may or may not be FIPS-140 compliant, and they may introduce code that is non-compliant or otherwise change the JVM configuration so that it breaks compliance.

The Jenkins community does not support Jenkins FIPS-140 mode, and due to the complex nature of JVM and servlet configuration that can change between versions, does not provide documentation for the full configuration required to run Jenkins in a fully FIPS-140 compliant manner. If you need to run Jenkins in a way that it is FIPS-140 compliant, it is recommended that you obtain support from a commercial vendor. The Jenkins community may be able to fix issues relating to FIPS-140 compliance; these will be treated as any other bug report or feature request.