Layer 1 (L1) - Platform OS and Policy
Objective
Establish platform wide cryptographic policy that constrains algorithms and determines which modules are available to applications and runtimes.
Responsibilities
- Enable FIPS mode and restrict algorithms to approved and allowed sets
- Ensure system libraries and crypto APIs select validated modules
- Configure kernel and user space consumers such as TLS, IPsec, and SSH to enforce policy
Common components
- FIPS mode switches and crypto policy packages
- System crypto libraries and providers resolved by the OS
- Certificate stores, trust anchor packages, system wide TLS policy
Implementation guidance
- Document the OS version, crypto policy level, and the validated providers it resolves
- Disable non approved algorithms and curves. Remove or block unvalidated modules
- Ensure system services such as SSH and IPsec inherit the policy by default
Validation and evidence
- Configuration management showing FIPS mode and policy settings
- SBOMs and package manifests that identify the validated modules present
- Baseline hardening guides and automated policy checks
Common pitfalls
- Enabling FIPS mode but leaving non approved plugins available to workloads
- Building applications that statically link an unvalidated provider
- Allowing runtime flags to re enable non approved algorithms
Relationship to other AFIPS Layers
| From | To | Why this edge exists | Typical operations | Evidence |
|---|---|---|---|---|
| L1 | L2 | System selects only validated modules | FIPS mode, crypto policy packages. | OS settings, SBOM for provider packages |
| L1 | L3 | Runtimes inherit platform policy | Admission rules, image signing and verification. | Admission controller logs |