Making a site FIPS compliant requires a lot more than just enabling the FIPS provider.  Also, the provider in the core of DNN is technically not FIPS compliant.  We had to create a new one for our biggest FIPS project.  In the most extreme example, we had a do work on getting everything FIPS compliant for the better part of a year.  It's not just DNN and the things in it.  

Hi Will,
Thank you for your quick response.
Just to provide more context, there are other services on the same server. All seem to be working fine after we updated the server's .NET Framework to v4.8 and recompiled those projects to target v4.8.
Regarding the DNN website (v9.10), I noticed its web dot config file specifies targetFramework="net472". Could the fact that it was compiled for v4.7.2 be the reason it's now failing FIPS compliance checks on a v4.8 runtime?
If that's unlikely to be the root cause, what else could I check regarding this FIPS failure?

Many thanks,
Jie (Jay)



Best,

Jie (Jay)

No, the .NET Framework isn't an issue.  They're compatible with each other.  In fact, most of our own DNN extensions are compiled against .NET 4.8.  It would be difficult to tell you what to do next.  You really need to go through the compliance checklist and build a plan around each item, based on your own environment.  

Hi Will,

Thanks again for sharing your insights on FIPS compliance.

To ensure I've grasped the key points correctly, could you validate my understanding below?

My takeaway was that targeting .NET Framework 4.8 is beneficial for applications needing to operate correctly when the operating system's FIPS policy is enforced. Is that accurate?
Secondly, I understood that DNN's compliance isn't automatic, but depends specifically on how it implements and utilizes cryptographic functions – essentially, whether it relies on FIPS-validated algorithms. Is this correct?

Building on point #2, my primary question is: Does the standard implementation of DNN (DotNetNuke) utilize cryptographic algorithms that are FIPS-validated, or is specific configuration/customization required to ensure this?

Thank you for your clarification.

Best regards,
Jie

Posted By Jie on 4/4/2025 9:00 AM
My takeaway was that targeting .NET Framework 4.8 is beneficial for applications needing to operate correctly when the operating system's FIPS policy is enforced. Is that accurate?

You don't need to be on .NET 4.8, but it will make things easier in some cases. Microsoft has done a TON to be compliant itself, helping us be more compliant more easily (especially in Azure).

Posted By Jie on 4/4/2025 9:00 AM
Secondly, I understood that DNN's compliance isn't automatic, but depends specifically on how it implements and utilizes cryptographic functions – essentially, whether it relies on FIPS-validated algorithms. Is this correct?

Not only the cryptographic features, but also other features. You need to go through the FIPS checklist item by item and build a plan. This advice won't change and will be slightly unique from site to site.

Posted By Jie on 4/4/2025 9:00 AM
Building on point #2, my primary question is: Does the standard implementation of DNN (DotNetNuke) utilize cryptographic algorithms that are FIPS-validated, or is specific configuration/customization required to ensure this?
 

It depends on how the site gets inspected and who's doing the inspecting. At the end of the day, some of this is a manual process. You really need to get together with whoever is driving this project and build a development plan around your compliance checklist.