CoreSpatial Server Adds FIPS 140-2 Compliance to GeoServer

We’re excited to announce a major enhancement to CoreSpatial Server: support for running GeoServer in FIPS 140 compliant mode on both Red Hat Enterprise Linux (RHEL) and containerized environments. This capability represents a key milestone for CoreSpatial as we continue to expand its use in high-security environments across government and enterprise sectors.

What Is FIPS Compliance and Why Does It Matter?

FIPS stands for Federal Information Processing Standards, a set of publicly announced standards developed by the National Institute of Standards and Technology (NIST) for use in computer systems by non-military government agencies and contractors. Specifically, FIPS 140-2 and 140-3 relate to cryptographic module validation. They define the security requirements for cryptographic operations like encryption, hashing, and signing.

• Learn more about FIPS 140-2
  
• Explore the latest FIPS 140-3 standard
  
• NIST’s full FIPS series can be found at csrc.nist.gov
  

Many U.S. federal systems (and an increasing number of enterprise platforms handling sensitive or regulated data) are required to run only FIPS-validated cryptographic modules. Without this validation, software components like web services, authentication providers, or spatial data servers will be deemed unsuitable for use in secure environments, particularly those that handle Controlled Unclassified Information (CUI), Protected Health Information (PHI), or mission-critical defense data.

Why This Is a Big Deal for CoreSpatial and GeoServer Users

GeoServer, a cornerstone of open-source geospatial services, is widely adopted across both public and private sectors. However, until now, deploying GeoServer in a FIPS-validated environment was not possible due to compatibility issues related to the use of older style JCEKS keystores for secret management, among other password handling issues. 

With this new release of CoreSpatial Server, we’ve resolved those limitations by:

• Configuring the Java runtime environment to use Bouncy Castle FIPS 140-2 validated cryptographic providers
  
• Hardening container images and RPM-based installations to ensure strict FIPS mode enforcement
  
• Providing turnkey compatibility with RHEL FIPS-enabled operating systems
  
• Validating compatibility with secure ingress and TLS termination using approved ciphers and key lengths
  
• Ensuring continued compatibility with key plugins and extensions, such as WMS/WFS/WCS services, PostGIS integration, and security modules
  

This means CoreSpatial Server customers can now deploy GeoServer in environments where FIPS 140-2 compliance is not optional – including DoD, DHS, and state-level emergency management systems.

Deployment Scenarios Supported

The FIPS-compliant CoreSpatial Server supports:

• Bare metal or VM installations on RHEL 8 and 9 with FIPS mode enabled
  
• Containerized deployments using Podman, Docker, or Kubernetes where the underlying host supports FIPS 140-2 compliant cryptography
  

Whether you’re deploying in a SCIF, in a hybrid cloud with strict compliance policies, or inside an accredited container security boundary, CoreSpatial Server now enables you to take full advantage of GeoServer’s spatial publishing power without compromising on compliance.

Get Started Today

To explore FIPS-ready deployment options or see a demo, contact us at [email protected] or visit our CoreSpatial overview.

For federal agencies and contractors already navigating FedRAMP, CMMC, or NIST 800-171 compliance landscapes, this enhancement brings CoreSpatial one step closer to being your go-to open-source alternative for secure geospatial systems.