Splunk® Enterprise

Securing Splunk Enterprise

Best practice for maintaining compliance with FIPS and Common Criteria in your Splunk Enterprise environment

As part of maintaining as secure a posture as possible in your Splunk platform environment, you must understand the requirements for compliance with government-mandated security standards. Read this topic to learn about how Splunk plans to transition to the latest versions of available cryptographical modules for its software products and how you, as a Splunk customer, can both establish and maintain compliance with these security guidelines by using the latest available secure versions of Splunk software.

The National Institute of Standards and Technology (NIST) controls when it makes updates to the Federal Information Processing Standards (FIPS) guidelines. Currently, the standards that are in force are FIPS 140-2 and FIPS 140-3. As part of an effort to maintain the highest levels of security, NIST plans to place the FIPS 140-2 standard on its "historical list" on September 21, 2026. This means that NIST will no longer accept new FIPS 140-2 module validations at that time. As a result, Splunk can no longer sell software that contains FIPS 140-2 modules to new customers at that point. While customers can purchase software with modules that have been placed on the Historical List, they can do so only for existing applications, such as older versions of Splunk software. Splunk plans to transition to offering software with FIPS 140-3 modules before September 21, 2026 to remain FIPS compliant.

Vendors of operating systems and software libraries have their own timelines for when that software gains or loses certification for FIPS. Splunk does not control when FIPS certification happens for third-party vendors' software or applications, only its own. Splunk will ensure that one or more versions of its software always meets FIPS compliance, and will apply best effort in advising you about compliance deprecation and expiration timelines. This lets you plan ahead and stay compliant.

Establish compliance in your environment

Confirm that you have the following in place to maintain compliance with FIPS and the Common Criteria Recognition Agreement (CCRA, or "Common Criteria") in your environment:

  • Products and apps that are mission critical to your business must use either a valid certificate that complies with the CCRA, or a bridge certificate that confirms that a future release will be CCRA-certified
  • Any operating system on which you run Splunk Enterprise in FIPS mode must also run in FIPS mode. FIPS mode is a requirement for compliance with CCRA
  • If a Splunk app or add-on that runs on the Splunk platform requires cryptographic operations, confirm that it uses only a FIPS-certified version of the cryptographic modules (for example, OpenSSL, BoringCrypto, BouncyCastle, and so on)
  • Any Splunk apps or add-ons that you want to run on a Splunk Enterprise instance must use algorithms that FIPS requires (for example, TLS 1.2), and must not depend on algorithms like Message Digest 5 (MD5) or Rivest Cipher 4 (RC4) that are not compliant with FIPS
  • Don't use outdated and insecure cryptographic algorithms such as RC4, MD5, Secure Hash Algorithm 1 (SHA1), and Triple Data Encryption Standard (3DES) in your Splunk platform environment. Instead, use more secure algorithms, like Advanced Encryption Standard (AES), for FIPS
  • While FIPS is a requirement for compliance with CCRA, it is not the only requirement. To fully meet CCRA guidelines, your environment must do the following:
    • Run a specific CCRA-compliant operating system with specific CCRA-compliant third-party software
    • Run a version of Splunk Enterprise that meets a specific CCRA target of evaluation (TOE)

For information on how Splunk Enterprise conforms fully with CCRA and the versions you can use for CCRA compliance, see the Splunk Enterprise Common Criteria Manual.

Take action to stay in compliance

Plan for future changes in FIPS and Common Criteria compliance requirements by doing the following in your environment when and where possible:

  • Determine whether your environment needs to be compliant with Common Criteria, or if FIPS compliance is sufficient. Compliance with FIPS does not necessarily mean compliance with CCRA
  • Run the most current Common Criteria-compliant operating system on computers that run Splunk Enterprise. Operating system vendors will advise you on the versions of their software that are compliant with FIPS, CCRA, or both
  • Use the latest CCRA-compliant version of Splunk Enterprise on that operating system.
  • Replace outdated and insecure protocols such as TLS 1.1 and lower with TLS 1.2 or higher.
  • To remain compliant, do the following:
    • Visit the NIST website to learn when a FIPS standard goes into or comes out of force
    • Visit the National information Assurance Partnership (NIAP) website to learn the requirements for your software for Common Criteria compliance
    • Visit the Splunk and OS vendor websites regularly for updated versions of software that keep your environment in compliance. Both Splunk and OS vendors will publish dates on when older software comes out of compliance, and new, compliant software becomes available
    • Upgrade your operating system and associated software as necessary to remain in compliance with FIPS and CCRA, as advised by the NIST and NIAP, respectively
    • Upgrade Splunk Enterprise to a CCRA-compliant version to remain in compliance, as directed by Splunk
Last modified on 13 December, 2024
Secure Splunk Enterprise with FIPS   Use access control to secure Splunk data

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters