Datadog FIPS Compliance

Docs > Agent > Agent Configuration > Datadog FIPS Compliance

Overview

The FIPS Agent is a flavor of the Datadog Agent that natively supports Federal Information Processing Standards (FIPS) compliance. The FIPS Agent’s compliance is based on its use of the FIPS 140-2 validated Cryptographic Module - Certificate #4282. See the related security policy for information about validated operating environments and restrictions.

The FIPS Agent also includes limited support for integrations that need to collect observability data that is external to the host.

It is your responsibility to ensure operating environment compliance with the security policy and wider FIPS guidance.

Supported platforms and limitations

Supported platforms:


Bare metal and VMs	RHEL >= 7 Debian >= 8 Ubuntu >= 14.04 SUSE >= 12 Windows Server >= 2016 Windows >= 10
Cloud and container	Amazon ECS AWS EKS (Helm) Docker

Supported products (Agent 7.65.0 and above):

Metrics
Logs
APM traces
APM profiles
Processes
Orchestrator Explorer
Runtime Security
Serverless Monitoring
Datadog DDOT Collector

The Datadog FIPS Agent does not support the following:

Communication between Cluster Agent and Node Agents
Outbound communication to anything other than GovCloud

Compliance guidelines

This is not an exhaustive list. These requirements are a baseline only. You are responsible for evaluating your environment and implementing any additional controls needed to achieve full FIPS compliance.

The following baseline controls apply to each platform. Your system may require additional controls:

A non-containerized Linux host.
Your Linux OS must be in FIPS-compliant mode. See your OS vendor’s documentation on what steps are required to meet this requirement.
FIPS-compliant storage backing the host file system.

A non-containerized Windows host.
Windows must be in FIPS-compliant mode.
FIPS-compliant storage backing the host file system.

Use a FIPS-compliant region (for example, AWS GovCloud)

Use a FIPS-compliant region (for example, AWS GovCloud)
Configure AWS compute services (EC2 or Fargate) in FIPS mode
Use FIPS-compliant storage for your ECS tasks

Use a FIPS-compliant region (for example, AWS GovCloud)
Configure EKS worker nodes in FIPS mode
Use FIPS-compliant storage for your EKS worker nodes

In addition to the Operating System (OS) requirements above:

You must have access to a FIPS-compliant Datadog environment (US1-FED or US2-FED).
The Agent version must be 7.65.0 and above to access the FIPS Agent

Installation

Install the Agent with FIPS support.
Note: FIPS support is only available on Agent versions 7.65.0 and above:
1. If you’re using the Agent install script, specify the DD_AGENT_FLAVOR="datadog-fips-agent" environment variable in your installation command. For example:
```
DD_SITE="" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"
```
2. If you’re installing with a package, follow the instructions to install the latest datadog-fips-agent package available for your platform.
3. Add GOFIPS=1 to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (datadog-agent.service). For example, if your host is using systemd:
```
echo "GOFIPS=1" | sudo tee -a /etc/datadog-agent/environment
systemctl daemon-reload
systemctl restart 'datadog-agent*'
```
Run the datadog-agent status command and make sure you see FIPS Mode: enabled in the status output.

Agent status command output with FIPS Mode enabled - Linux

Follow the Windows instructions to uninstall any existing Datadog Agent on the machine.

Run the command below to install the FIPS Agent, replacing DATADOG_API_KEY with your API key:

Note: FIPS support is only available on Agent versions 7.65.0 and above:

$p = Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /i https://windows-agent.datadoghq.com/datadog-fips-agent-7-latest.amd64.msi /log C:\Windows\SystemTemp\install-datadog.log APIKEY="<DATADOG_API_KEY>" SITE=""'

if ($p.ExitCode -ne 0) { Write-Host “msiexec failed with exit code $($p.ExitCode) please check the logs at C:\Windows\SystemTemp\install-datadog.log” -ForegroundColor Red }

Run the Agent status command and make sure you see FIPS Mode: enabled in the status output.
```
& "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" status
```

Note: The program name for the FIPS Agent in Add or Remove Programs is “Datadog FIPS Agent.”

For AWS Lambda FIPS compliance, follow the instructions in the AWS Lambda FIPS Compliance documentation.

When following the ECS installation instructions, make sure to use these FIPS-specific configuration values for your Task Definition:

Set image in the containerDefinitions object to public.ecr.aws/datadog/agent:7-fips
Set DD_SITE environment variable to

When following the Datadog Agent installation on Kubernetes instructions, make sure to include these FIPS-specific configuration values in the datadog-agent.yaml file depending on your chosen installation method:

For the Datadog Operator:

spec:
   global:
      site: ""
      useFIPSAgent: true

For the Datadog Helm Chart:

datadog:
   site: ""
useFIPSAgent: true

Security and hardening

You, the Datadog customer, are responsible for host security and hardening.

Security considerations:

While the Datadog images provided are constructed with security in mind, they have not been evaluated against CIS benchmark recommendations or DISA STIG standards.
If you rebuild, reconfigure, or modify the Datadog FIPS Agent to fit your deployment or testing needs, you might end up with a technically working setup, but Datadog cannot guarantee FIPS compliance if the Datadog FIPS Agent is not used exactly as explained in the documentation.
If you did not follow the installation steps listed above exactly as documented, Datadog cannot guarantee FIPS compliance.
Some Linux distros with urllib3 ≤ 1.26.20 may fail FIPS encryption due to non-compliant libraries. Check with your Linux vendor to ensure FIPS-compliant encryption support.