{"slug":"tailscale-fedramp-and-fips-140-considerations","title":"Tailscale FedRAMP and FIPS-140 considerations","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Tailscale FedRAMP and FIPS-140 considerations\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nTailscale is a modern virtual private network (VPN) built on [WireGuard®](https://www.wireguard.com/). While Tailscale is not yet [FedRAMP](https://www.fedramp.gov/) authorized, many FedRAMP-certified Cloud Service Providers (CSPs) can use Tailscale today within properly scoped boundaries. The following information provides guidance when you evaluate Tailscale's fit within your FedRAMP Moderate environment.\r\n\r\n## [Tailscale security posture](https://tailscale.com/docs/reference/tailscale-fedramp-fips140\\#tailscale-security-posture)\r\n\r\nTailscale is SOC 2 Type II certified. You can download the SOC 2 report from the Tailscale [Legal and Trust](https://tailscale.com/legal) page. Tailscale uses WireGuard for Transport Layer security (TLS) and provides end-to-end encrypted mesh networking.\r\n\r\nTailscale's approach to secure networking embodies the principles of [least privilege](https://tailscale.com/learn/principle-of-least-privilege) and [zero trust security](https://tailscale.com/docs/concepts/zero-trust). Tailscale provides strong cryptographic protection, hardened defaults, and detailed auditing.\r\n\r\n## [FedRAMP Considerations](https://tailscale.com/docs/reference/tailscale-fedramp-fips140\\#fedramp-considerations)\r\n\r\nTailscale is useful in FedRAMP-authorized environments even without its own FedRAMP Authority to Operate (ATO) certification if integrated appropriately. Take the following into account:\r\n\r\n- **Boundary definition**: Use National Institute of Standards and Technology (NIST) [SP 800-18](https://csrc.nist.gov/pubs/sp/800/18/r1/final) and Federal Information Processing Standards (FIPS) [199](https://csrc.nist.gov/pubs/fips/199/final) to define if Tailscale is inside or outside your system boundary.\r\n\r\n- **System categorization**: Determine whether Tailscale is a major system or supporting service.\r\n\r\n- **Layered cryptography**: If you already use FIPS-validated TLS or Internet Protocol Security (IPsec), Tailscale can operate as an additional encrypted layer.\r\n\r\n\r\nTailscale provides technical documentation to assist CSPs in mapping these boundaries for compliance.\r\n\r\n## [FIPS 140-2/3 compliance context](https://tailscale.com/docs/reference/tailscale-fedramp-fips140\\#fips-140-23-compliance-context)\r\n\r\n[FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final) and its predecessor FIPS 140-2 define security requirements for cryptographic modules. Tailscale does not currently use a FIPS-validated cryptographic module. However, this is not always required:\r\n\r\n- If Tailscale traffic is wrapped in FIPS-validated encryption (such as TLS termination or IPsec), it may be considered compliant.\r\n- FedRAMP guidance provides for un-validated modules in layered encryption scenarios when inner layers meet [SC-8(1)/SC-28(1)](https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf).\r\n\r\nTailscale is not providing legal advice. We suggest you consult with your own experts regarding whether your use of Tailscale is considered compliant.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Tailscale FedRAMP and FIPS-140 considerations</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>Tailscale is a modern virtual private network (VPN) built on <a href=\"https://www.wireguard.com/\">WireGuard®</a>. While Tailscale is not yet <a href=\"https://www.fedramp.gov/\">FedRAMP</a> authorized, many FedRAMP-certified Cloud Service Providers (CSPs) can use Tailscale today within properly scoped boundaries. The following information provides guidance when you evaluate Tailscale's fit within your FedRAMP Moderate environment.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-fedramp-fips140#tailscale-security-posture\">Tailscale security posture</a></h2>\n<p>Tailscale is SOC 2 Type II certified. You can download the SOC 2 report from the Tailscale <a href=\"https://tailscale.com/legal\">Legal and Trust</a> page. Tailscale uses WireGuard for Transport Layer security (TLS) and provides end-to-end encrypted mesh networking.</p>\n<p>Tailscale's approach to secure networking embodies the principles of <a href=\"https://tailscale.com/learn/principle-of-least-privilege\">least privilege</a> and <a href=\"https://tailscale.com/docs/concepts/zero-trust\">zero trust security</a>. Tailscale provides strong cryptographic protection, hardened defaults, and detailed auditing.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-fedramp-fips140#fedramp-considerations\">FedRAMP Considerations</a></h2>\n<p>Tailscale is useful in FedRAMP-authorized environments even without its own FedRAMP Authority to Operate (ATO) certification if integrated appropriately. Take the following into account:</p>\n<ul>\n<li>\n<p><strong>Boundary definition</strong>: Use National Institute of Standards and Technology (NIST) <a href=\"https://csrc.nist.gov/pubs/sp/800/18/r1/final\">SP 800-18</a> and Federal Information Processing Standards (FIPS) <a href=\"https://csrc.nist.gov/pubs/fips/199/final\">199</a> to define if Tailscale is inside or outside your system boundary.</p>\n</li>\n<li>\n<p><strong>System categorization</strong>: Determine whether Tailscale is a major system or supporting service.</p>\n</li>\n<li>\n<p><strong>Layered cryptography</strong>: If you already use FIPS-validated TLS or Internet Protocol Security (IPsec), Tailscale can operate as an additional encrypted layer.</p>\n</li>\n</ul>\n<p>Tailscale provides technical documentation to assist CSPs in mapping these boundaries for compliance.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-fedramp-fips140#fips-140-23-compliance-context\">FIPS 140-2/3 compliance context</a></h2>\n<p><a href=\"https://csrc.nist.gov/pubs/fips/140-3/final\">FIPS 140-3</a> and its predecessor FIPS 140-2 define security requirements for cryptographic modules. Tailscale does not currently use a FIPS-validated cryptographic module. However, this is not always required:</p>\n<ul>\n<li>If Tailscale traffic is wrapped in FIPS-validated encryption (such as TLS termination or IPsec), it may be considered compliant.</li>\n<li>FedRAMP guidance provides for un-validated modules in layered encryption scenarios when inner layers meet <a href=\"https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf\">SC-8(1)/SC-28(1)</a>.</li>\n</ul>\n<p>Tailscale is not providing legal advice. We suggest you consult with your own experts regarding whether your use of Tailscale is considered compliant.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}