NSS and Virtual Service Edges (VSE) VM's FIPS certification


We have a question from the auditors if NSS and Virtual Service Edges (VSE) vm’s are FIPS-certified.


Would this be helpful?

Unfortunately, the article talks about Zscaler Security Cloud not NSS or VSE specifically. We are deploying these VM’s on-prem that is the reason why auditors ask for FIPS. Thanks,

Yeah, makes sense. I will roam the halls and see if I can find a solid answer. I am still getting my legs under me. Would the fact that NSS and VSE being self-hosted make any difference in that regard?

Yes it would as the cloud itself is fully FIPS. The question boils down to VM’s (NSS, VSE). Especially VSE as it brings the traffic to ZScaler cloud.

Interesting, I did ask the virtual halls as well as did some searching on my own.

Here is a website that we have that is dedicated solely for compliance certifications. There is also a form that you can fill out that will prompt our compliance team to reach out with information you may need specific to your audit. Hope this helps while the other ball is rolling :slight_smile:

Thank you for the link. Looks like the form does not have an option to submit questions about NIST 800-53, FIPS-140-2 or FedRamp. Is that something ZScaler planning to add in the future?

Let me see if I can find out. I think those options are referring to which report you currently undergoing. Is there is a specific FIPS-140-2 report or is it part of a larger audit? Just want to make sure I am asking the right questions.

We are being audited against FISMA which is based on NIST 800-53 framework. Thanks,